On 06/22/2017 01:04 AM, Victor Stinner
wrote:
About the cipher list in ssl, the change itself is
simple but it's to blacklist DES and 3DES since it has been
proved that these ciphers are really too weak nowadays:
Not "blacklist"--IIUC the user can still manually specify whatever
cipher suites they like. And not DES... who knows how long ago that
was removed from the list.
This change in 3.4 removes 3DES from the default permissible
cipher list, changing those entries to use "HIGH cipher suites"
instead (OpenSSL's term for "cipher suites with key sizes >= 128
bytes"). It also adds ChaCha20 to the default cipher list.
By the way, is Larry the only one to be able to
merge changes in 3.4? Before GitHub, all core dev were
technically allowed to push in security-only branches.
Oh? Am I? **insert evil laugh** Ladies and gentlemen, get out your
checkbooks! 3.4 is about to get... expensive.
Seriously, though, I was mostly hoping other people would handle the
security stuff and just keep me informed. If I'm the only one
permitted to accept PRs into 3.4 (and soon 3.5), okay, I can work
with that. I'm still probably gonna delegate the actual judgment of
the validity of the PRs. But obviously it'll mean I'll have to be
more hands-on, where so far I was assuming I could just let other
people handle it.
Currently the security-only branches are set so that only release managers can merge PRs since they technically are on the hook if some compatibility breaks due to some patch (e.g. I expect Ned to use this for 3.7 once we hit rc to really control what goes in last minute). It's easy enough to turn this protection off, though, if people want.