On 06/05/2018 12:55 PM, Chris Murphy wrote:
I don't understand the motivation of departing from upstreams, which
by their nature are on a knife's edge balancing security and practical
use in the real world. Why second guess that effort and on what basis?
Totally agree!
Slightly off topic as an anecdote, but the Payment Card Industry Data
Security Standard (PCI DSS) is only calling for the end to TLS 1.0
support at the end of this month, recommending TLS 1.2 but permitting
TLS 1.1. This is the spec for transmitting people's credit card
magnetic stripe/chip information for payment authorizations. Now maybe
that's a bit eyebrow raising, but if they're willing to take the risk
of allowing TLS 1.1 for such a use case, I hardly think Fedora should
be jumping the gun.
That's why there's transaction fees. Oops! Oh well, here's a few
million to deal with that. They advertise like they can't get rid of
the money fast enough. I always figured the Visa "Magic Moments" were
something like hot database redirection where some transactions fell off
the end of the cable, landed on the floor and turned into customer's
lucky day simply due to the timing. Like it was easier/cheaper to give
away the fruits rather than fix the real problem.
I doubt it's actually like that, but I do bet they have more luxury than
Fedora does. While I'd prefer the best security, I don't want it at the
risk of things being broken. I don't have the confidence that my work
around is as safe as an older more trusting Fedora. When I see those
cipher suite strings my head just goes into a tailspin.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/BQ54WDRZ3F4ATFGFYCJSMI6NY2BNNVCU/
