[Pkg-openldap-devel] Bug#462588: Same problem
Steve Langasek
vorlon at debian.org
Fri Feb 8 02:53:22 UTC 2008
On Sun, Feb 03, 2008 at 05:29:47PM -0800, Russ Allbery wrote:
> > I'm pretty sure I don't want to implement support for migrating the full set
> > of OpenSSL cipher specs in shell. :P
> > Do you think converting the above aliases would be good enough coverage?
> > Or do we need to provide some upgrade handling for all the
> > possibilities, and therefore we're doomed to add yet another debconf
> > error message here? In the latter case I'm probably not going to spend
> > the effort on auto-migrating any of the values.
> I would just comment out the cipher list directive completely on upgrade
> and document the need to correct it manually if desired in NEWS.Debian.
> The most common use of this directive is to restrict use of weak ciphers,
> which GnuTLS doesn't support in the first place.
My natural inclination here then is to still make this a debconf error
message, when one of these TLSCipherSuite lines is detected. It's not nice
to translators, but an untranslatable NEWS.Debian file isn't nicer to users
than an untranslated debconf template anyway, and with a debconf error we
can directly notify the users whose configs have had to be changed.
> It is unforunate that GnuTLS doesn't support the same general keywords as
> OpenSSL, and it seems like that would be easy enough for GnuTLS to add.
> Maybe a wishlist bug against GnuTLS is in order?
Filed as bug #464625.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek at ubuntu.com vorlon at debian.org
More information about the Pkg-openldap-devel
mailing list