On Wed, Aug 5, 2015 at 6:27 AM, Bjoern Voigt <bjoernv@arcor.de> wrote:
I heard about the development model for the next openSUSE release Leap 42.1.
What are the proposed guidelines for security relevant packages? (I mean base security libraries like OpenSSL and security sensitive application packages like Apache or Sendmail.)
Personally I prefer up-to-dateness over maturity for such packages. I would like to explain my rating with an example:
Ever since the Poodle attack it's clear, that SSL 3 should be disabled. On http://disablessl3.com/ I found instructions to disable SSL 3 on Sendmail. Unfortunately the Sendmail packages of distributions like Ubuntu 14.04 are not recent enough and the proposed SSL settings are missing. So administrators have two bad alternatives: staying with mature, but more or less insecure software or switching to fresh secure, unsupported and sometimes unstable packages.
The example is about Ubuntu 14.04. But will openSuSE go in the same direction?
Looks like you need tumbleweed.. you do not even need to do anything in your example case, because tumbleweed 's openSSL does not have SSLv3 support. (disabled since late Jun) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org