On Apr 23, 2012, at 5:48 PM, Antoine Pitrou wrote:

[mvl]
So I propose that for the regular bugfix releases, we upgrade the OpenSSL
version, but otherwise take no action at this point.

Agreed.

With two such august opinions I, at least, feel confident we are unlikely to have to scramble to remove a dangerous vulnerability.

Do we need to address this publicly? If nobody is asking any questions then remaining silent and implementing Martin's suggestion seems like the best option.

S
-- 
Steve Holden steve@holdenweb.com,  Holden Web, LLC http://holdenweb.com/
Python classes (and much more) through the web http://oreillyschool.com/