shyouhei / ruby-lang.org wrote:
> 
> We are amateur about security.  It might be possible to change
> something, then we have no idea what happens with that modification
> and even worse, we cannot maintain that bit when security research
> develops and turned out our change was in fact ill.

I am also an amateur.  But I read the logic of your statement above as
being in favor of discarding security research that /already exists/
about the weak ciphers and protocol versions.

But: if we are to disregard current research, should not the reason given
be something other than concern over possible future research?


With regard to maintenance, could it be useful to incorporate a check
like https://gist.github.com/cscotta/8302049 in the form of an automated
test which can be run by maintainers prior to the release of a new version
of ruby?  The idea being that such a test may assist in proactively warning
maintainers if/when further improvements to ruby's OpenSSL defaults are
warranted.



Regards,

Bill