× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



This fits certainly with my thinking. IBM didn't have to enhance code or re-engineer anything to make this fix, merely change defaults. Sure it still took some work but workable unlike adding ciphers that the underlying LIC doesn't support.

- Larry "DrFranken" Bolhuis

www.Frankeni.com
www.iDevCloud.com - Personal Development IBM i timeshare service.
www.iInTheCloud.com - Commercial IBM i Cloud Hosting.

On 7/12/2017 10:22 PM, Steinmetz, Paul wrote:
I see both sides of this issue.

Back in July of 2015, IBM released two SSL PTFs to resolve SSL client issues, MF60335, SI57332.
One of these was a request of mine.
It was a hard sell back then, at first, IBM was not willing to fix the SSL issue.

These PTFs allowed you to change the IBM SSL defaults, set TLSV1.2 as default, disable SSLv2, SSLv3, TLSV1, and disable weak RC4 ciphers due to to the POODLE and Bar Mitzvah vulnerabilities.

In December 2016, the cipher issue occurred, an RFE was created, (52 votes).

The IBM V7R1 announcements did not come out till April 2017.

One could argue that SSL stop working, a fix is needed to resolve the issue.

What is also interesting is the amount of recent V7R1 PTFs, which cover letter states "for future enhancement."

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of DrFranken
Sent: Wednesday, July 12, 2017 8:40 PM
To: John Yeung
Cc: Midrange Systems Technical Discussion; midrange
Subject: Re: SSL Cipher Support and V7R1... and so it begins

To me it is fairly clear on Fix vs Enhancement.

If something is designed to do X and it does X then it is good.

Now if it does X+ or X- in some cases then it is broken and is in need of a fix. That is, it is broken as it does not meet the original design in all cases. For IBM this would require a fixing PTF.

If it determined after 'a time' that the design no longer meats the requirements then that is a design change rather than a fix. As such any coding is done as an enhancement, not a fix. This would still be delivered as a PTF but it would be an enhancing PTF not a fix

It shouldn't really matter why the design needs to change, unless the original design was incomplete and did not meet the needs /at the time of design/. Beyond that case any changes are enhancements and fall into that bucket.

From my point of view then adding additional ciphers to i 7.1 does constitute a design change. The ciphers in there still do exactly what they were designed to do and coded to do. Since that time things have changed (additional compute power, theoretical vulnerabilities have been described, etc) and thus the design needs updating. Updating the design is therefore an enhancement, not a fix.

That's the way I see it at least.

- Larry "DrFranken" Bolhuis

www.Frankeni.com
www.iDevCloud.com - Personal Development IBM i timeshare service.
www.iInTheCloud.com - Commercial IBM i Cloud Hosting.

On 7/12/2017 4:54 PM, John Yeung wrote:
On Wed, Jul 12, 2017 at 10:52 AM, DrFranken <midrange@xxxxxxxxxxxx> wrote:
I'm not trying to say that the instant they declare "Fix only"
support that absolutely zero enhancements would ever be added. I am
saying that adding these ciphers DOES constitute an enhancement, not
a break-fix. As such IBM can say No to adding them. Because it
potentially affects a large group though if it was easy I expect they would do it.

Your tone is conciliatory here, and I appreciate that. But the fact
remains that you're not budging on the notion that reasonable people
can differ on what constitutes a "fix".

The fact that you think IBM would do it if it were easy raises the
question: Why then is it so important whether it's called a "fix"?
Doesn't it (and shouldn't it) really come down to a cost-benefit
analysis? If IBM (or anyone else) feels that it's too much effort for
too little gain, why does it matter which bucket it's in? Why do we
need two buckets in the first place?

Jeff Atwood does a decent job articulating what I'm trying to say:

<https://blog.codinghorror.com/thats-not-a-bug-its-a-feature-request/>

Predictably, a lot of the comments are like your responses to me. They
will probably never understand what the hell Atwood is talking about,
just as I am beginning to feel you will never understand what I am
trying to say.

But there are also a lot of comments that agree with Atwood. I guess
I'll just have to take comfort in that.

John Y.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related questions.

Help support midrange.com by shopping at amazon.com with our affiliate link: http://amzn.to/2dEadiD


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.