Message 254971 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	lemburg
Recipients	Lukasa, alex, benjamin.peterson, christian.heimes, dstufft, giampaolo.rodola, janssen, lemburg, pitrou
Date	2015-11-20.11:51:36
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<564F0940.6060800@egenix.com>
In-reply-to	<1448017800.19.0.946147791129.issue25672@psf.upfronthosting.co.za>

Content
On 20.11.2015 12:10, Cory Benfield wrote: > Yeah, while generally speaking OpenSSL doesn't ship betas, it does provide them as tarballs. I have a beta of 1.0.2 floating around somewhere on my machine that I was using for ALPN testing back in 2014, and so I can speak from personal experience and say that people do actually work with betas sometimes. On this issue (defending ourselves from a CVE) my instinct is to be conservative. However, we should allow later patch releases of OpenSSL 1.0.0 to have this optimisation if they're safe. Ah, right. For new major release versions such as 1.0.1 or 1.0.2 they do ship betas, but historically they have often introduced new features in their abcde... level releases without doing betas for those first - that's what I was thinking of :-) > Therefore, I've uploaded a new patch that does allow for 1.0.0m and later to use this optimisation too. It makes the conditional a little more complex, but c'est la vie. LGTM Thanks, -- Marc-Andre Lemburg eGenix.com

On 20.11.2015 12:10, Cory Benfield wrote:
> Yeah, while generally speaking OpenSSL doesn't ship betas, it does provide them as tarballs. I have a beta of 1.0.2 floating around somewhere on my machine that I was using for ALPN testing back in 2014, and so I can speak from personal experience and say that people do actually work with betas sometimes. On this issue (defending ourselves from a CVE) my instinct is to be conservative. However, we should allow later patch releases of OpenSSL 1.0.0 to have this optimisation if they're safe.

Ah, right. For new major release versions such as 1.0.1 or 1.0.2
they do ship betas, but historically they have often introduced
new features in their abcde... level releases without doing
betas for those first - that's what I was thinking of :-)

> Therefore, I've uploaded a new patch that does allow for 1.0.0m and later to use this optimisation too. It makes the conditional a little more complex, but c'est la vie.

LGTM

Thanks,
-- 
Marc-Andre Lemburg
eGenix.com

History
Date	User	Action	Args
2015-11-20 11:51:36	lemburg	set	recipients: + lemburg, janssen, pitrou, giampaolo.rodola, christian.heimes, benjamin.peterson, alex, dstufft, Lukasa
2015-11-20 11:51:36	lemburg	link	issue25672 messages
2015-11-20 11:51:36	lemburg	create