Forum OpenACS Development: Should we continue to support PayflowPro?

I have a bug assigned to me containing a patch to update the Verisign PayflowPro module. But before I apply the patch, I wanted to get some opinions on whether we should continue to support this module at all.

As you can read in this thread: https://openacs.org/forums/message-view?message_id=93102 , the latest version of the Verisign SDK is statically linked with an older version of OpenSSL and causes our module to periodically crash AOLserver. Since Verisign has indicated that they don't intend to fix the problem, this situation is not likely to change. I'm wondering if we should therefore deprecate this module, rather than leaving it in the distribution and encouraging people to use it.

Thoughts? If folks are generally positive on this I'll make it a TIP.

Collapse
Posted by Brad Duell on
I support deprecating it.
I'm about to buy some SSL security certificates...

Given this attitude from SSL Certificate Authority Versign, does anyone recommend any other CA's that seem to be more open minded about supporting open source?

Collapse
Posted by Nagita Karunaratne on
Getting off topic here, but have you looked at InstantSSL (http://www.instantssl.com/) that was mentioned here recently?
Collapse
Posted by Torben Brosten on
OT? You are right, Nagita Karunaratne. Back to topic.

OpenACS has a a working alternative, the AuthorizeNet gateway package[1]. Since alternatives exist for Verisign's other common offering, SSL Certificates[2], I say..

..deprecate the PayflowPro package.

1. https://openacs.org/doc/openacs-4-6-3/authorize-gateway/
2. http://news.netcraft.com/archives/2003/04/09/netcraft_ssl_survey.html

Collapse
Posted by Torben Brosten on
For the record, the Verisign "freeware apache notice"[1] suggests that SSL support (including liability) would be limited for an aolserver running OpenACS 4.6.3 (using Aolserver3.3oacs1).

1. https://digitalid.verisign.com/server/apacheNotice.htm