On Sun, Jan 26, 2014 at 10:44 PM,  <mame / tsg.ne.jp> wrote:
> Issue #9424 has been updated by Yusuke Endoh.
>
>
> Martin Bosslet wrote:
>> a) I want to apologize for overlooking this
>
> Ah, you don't need to apologize at all!  I just wanted to clarify what is=
 relieved and what is not.
>
>
>> Like @shyouhei, I still believe the best solution would be asking OpenSS=
L to fix this for all of us.
>
> Me too, but I'm curious about the reason why OpenSSL people don't "improv=
e" the defaults.
> (OT: insecure default is not a bug itself; I'd like to use "improve" rath=
er than "fix".)
>
> One possible answer: They are simply unable, due to various reasons such =
as compatibility, lack of resource, etc.  They have intention of doing that=
 in the future.  There is no problem in this case.
>
> Another answer: Their goal is just to provide toolkit, and secure default=
s are out of scope.  In this case, they won't improve it.  (I have no inten=
tion of blaming them.  Deciding secure defaults is a hard task.  Effort all=
ocation looks quite reasonable to me.)  Anyway, I'm afraid if just waiting =
will not solve our issue in this case.
>

I'm afraid I'm missing something. But I'd like to ask first. Why do
nobody ask OpenSSL first?
They only can answer their intension. I don't think debate a guess on
this list is a good idea.
I believe the best way is a fixing by OpenSSL because, as you pointed
out, either Ruby and
OpenSSL can not make secure Ruby + old OpenSSL case. Therefore, to
workaround for old
OpenSSL is a pointless.

I agree security is important and Ruby sometimes accepted a workaround
patch and should
do in the future too, if we really need to do.
But I disagree just to continue a guess talk. Fixing right place is
always better than a workaround.

I hope my stand point is close to yours.