[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: openssl-vulnkey and python

On Thu, 27 Aug 2009 15:46:51 +0930
Ron <ron@debian.org> wrote:

> On Thu, Aug 27, 2009 at 07:09:04AM +0100, Neil Williams wrote:
> > On Thu, 27 Aug 2009 15:12:20 +0930
> > Ron <ron@debian.org> wrote:
> > 
> > > On Wed, Aug 26, 2009 at 08:16:18PM +0100, David Goodenough wrote:
> > > > Actually it is openssl-blacklist that contains openssl-vulnkey, and
> > > > in sid openssl depends on that.  And as openssl-vulnkey is written in
> > > > python it is rather needed.

If openssl did depend on the blacklist that would be a Policy violation
as it would make a circular dependency - the blacklist depends on
openssl, not vice versa.

Is something else bringing in the blacklist?

I'm still not sure why an embedded device needs to have openssl-vulnkey.

> > > $Someone should just rewrite that in a $real language. The gratuitous extra
> > > dependency on python there is annoying for more than just embedded systems.
> > 
> > Or just decide whether you actually need the blacklist on an embedded
> > system - what is the benefit of scanning SSH keys on the embedded
> > device? Scanning for vulnerable keys (by definition old keys) is a
> > service devised for servers where a lot of people have SSH keys.
> The ssh blacklist isn't a problem.  It's only the SSL one that drags in
> python this way.  But breaking the hard dep may indeed be useful also.

OK, misread that but openssl itself doesn't depend on the blacklist, do
you really need the SSL blacklist itself on an embedded device?


Neil Williams

Attachment: pgpeNp4uDy1JD.pgp
Description: PGP signature

Reply to: