[Ach] Removed prosody

Alexander Wuerstlein arw at cs.fau.de
Thu Feb 19 20:22:57 CET 2015


On 2015-02-19T20:09, Aaron Zauner <azet at azet.org> wrote:
> 
> 
> Matthew Wild wrote:
> > 
> > People absolutely should be able to configure their server how they
> > want to, and I want to allow that. But there is a real cargo-cult
> > approach to system security gaining popularity, instead of securing
> > the software upstream. It worries me.
> 
> I cannot agree more, it is vital that all this is fixed upstream. Our
> project intended to be an intermediate solution. A lot has been fixed in
> OpenSSL, TLS specs and various server daemons (e.g. Apache, MTAs,
> OpenSSH,..) since.

The big problem with fixes from upstream is that usually crypto
improvements are not classified as security fixes and therefore not
backported to the older releases that are in widespread use. Or even
worse, many software projects don't even support the older branches that
distributions ship.

For non-configuration changes, distributions usually take care of the
necessary backporting, but for configuration this is usually not
feasible. Admins therefore have to fix the resulting insecure
configurations by themselves which leads to the aforementioned mess.

This could be fixed by backports of default crypto config or at least
publishing configuration advice for old releases. Which is of course a
task for upstream, distros or projects.



Ciao,

Alexander Wuerstlein.



More information about the Ach mailing list