On Wed, Oct 15, 2014 at 01:58:34PM -0700, Russ Allbery wrote: > It's unlikely that you're going to be able to make better cost/benefit > decisions about these things than well-informed upstreams for general use > cases. Debian is targeted for general use cases. If we were making a > security-hardened distribution that chooses security over interoperability > across the board, we may well want to make other decisions. Unfortunately, not all upstreams make good decisions. OpenSSL ships with a set of default ciphers that is completely insecure. There is no reason that every application using OpenSSL directly or indirectly[0] should have to disable exportable ciphers, especially since almost nobody uses them (nor wants to). HIGH:MEDIUM:!aNULL is a better default. It's fine to defer to upstream where they have a history of good, prudent decision making, but there are upstreams where that's clearly not the case, and Debian should step in and ship software that doesn't have security holes by default. [0] Including virtually every Ruby script that uses HTTPS. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
Attachment:
signature.asc
Description: Digital signature