[jdev] manifesto 0.4

Ralph Meijer ralphm at ik.nu
Wed Oct 30 15:15:35 UTC 2013

Dave Cridland <dave at cridland.net> wrote:
>On Wed, Oct 30, 2013 at 12:21 AM, Mathieu Pasquet
><mathieui at mathieui.net>wrote:
>> Before signing the manifesto as a software developer, there are
>> a few things that are unclear and I’m not sure we can commit to
>> this just yet:
>> Dropping SSLv2 is all good and I’m not even sure why SSLv2 was
>> supported initially (doesn’t xmpp appear after SSLv3 was
>> but dropping SSLv3, while also a good idea, might cause issues with
>> of servers (not naming legacy ejabberd or openfire under old debian
>> centos). Hopefully, we have some time to wake up some admins before
>> dates set in the manifesto, but I hope the test days will help
>> troubleshooting the ones that don’t get the memo.
>Well, I think you've answered your own question there. The manifesto
>out the aims, but I'm hoping that we're not so blinkered that we cannot
>adapt the rules as we go along. So if it turns out that - despite the
>Observatory's work so far - SSLv3 is essential for interop, and we
>work with the affected sites to correct this, then we might revisit

I do want to note, though, that XMPP's STARTTLS is only defined to work with TLS, not SSL. Said interoperability issues are basically the result of non-compliancy in implementations, and if we are to drop interop with the current Google Talk network (which doesn't even do non-dialup), I don't see why this should be different.


More information about the JDev mailing list