[Twisted-Python] TLS broken with twisted.words.protocols.jabber

[glyph at divmod.com]

On 22 Nov, 06:02 pm, jack at chesspark.com wrote:
>>In other words, this really has nothing to do with Twisted, and 
>>everything
>>to do with the fact that Debian should not be screwing around with 
>>OpenSSL.
>>  Have they already forgotten what happened last time?
>
>Nothing to do with Twisted, yet this means that all my users attempt
>to use my code will likely fail unless they recompile their distro's
>openssl or upgrade to the next  version (if it gets fixed upstream in
>a next verison).

Sorry, you seem to have misunderstood me.  I'm not saying "let's not 
backport this fix".  I'm saying that backporting the fix is a band-aid; 
the real issue is in the openssl package.  Some effort should be devoted 
to fixing it there.

Also, you could apply an equally band-aid solution to your own code 
immediately.  It shouldn't interfere with the band-aid in Twisted.
>This essentially makes my code useless to many, not to mention a pain
>in the ass for myself.

You're not the only one.  The only reason that a zillion people haven't 
noticed this already is that pidgin uses nspr/nss to talk to gtalk, not 
openssl.
>You've already committed the fix to 8.2 and trunk.  All I'm asking is
>for a bugfix release for 8.1 and possibily 8.0.  I don't understand
>why we are arguing about whether the fix is correct when the question
>is whether to backport it; it is already accepted and committed.

As far as I'm concerned this is entirely up to the discretion of the 
release manager, Christopher Armstrong.  For my part I'm +0, unless 
doing a maintenance release will actually get Ubuntu to include the 
fixed 8.1 in an update, in which case I'm +1.

And again, I'm not against it, but I don't see the point of backporting 
to 8.0; who will have both twisted 8.0 and a system affected by this 
issue?