> What's odd to me is most of the patches I saw for this were just setting that flag, and not doing anything about truncation attacks? I'm sure this will bite us all somewhere down the line.
It sounds like those are workarounds to get the apps to work again by reintroducing the old behavior. Once they are unblocked, they can refocus on addressing the issue.
It's either that, or remain broken and unusable until further notice.
correct, and specifically with backports there is no other reasonable way to do this. Since the mitigation needs to happen outside of the openssl integration, you need to expose the flag to clients and allow them to make the choice to ignore the error or not, until they handle this. But in a backport, you can't expose new apis like this to clients, because that code isn't getting updated.
It sounds like those are workarounds to get the apps to work again by reintroducing the old behavior. Once they are unblocked, they can refocus on addressing the issue.
It's either that, or remain broken and unusable until further notice.