Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777

[John Haxby <john.haxby () oracle com>]

> On 10 Mar 2015, at 15:56, Kurt Seifried <kseifried () redhat com> wrote:
>
> > None of this, however, has anything to do with the matter at hand.  If
> > no one from Red Hat is unwilling to cooperate in getting a single
> > backward-compatible resolution to incorporating PEP-466 into the
> > distro python versions then perhaps someone else is.
>
> My experience is a lot of people propose a LOT of things on email lists,
> but when it actually comes down to them doing the work, nothing happens
> because quite often the people proposing the work don't have the
> expertise or ability to do it. oss-security@ archives are littered with
> such examples (e.g. the whole code audit thing).
>
> So it's not that I'm unwilling, I simply don't see why you need massive
> corporate/community buy in at this point, premature optimization and all
> that. Build a solution, or more than one solution and try them out, then
> report back to oss-security@ with what works/doesn't work. In general
> the best way to determine what the best solution is for a problem is to
> try several solutions out. Prototype code and experimental data is worth
> 1000 meetings.
>
> Come back to us with data/a working solution and then I'd be willing to
> consider investing some time/energy into this, but until then this is
> simply an experimental project that may not even be needed (who knows,
> we don't because we're basically holding a useless meeting right now via
> email).

You’re not interested, that’s fine.

jch