Your message dated Sat, 12 Dec 2015 21:57:18 -0500
with message-id
<CANTw=moqm+sgzf8zpubtgufeffltggvkmz1lzg70o1uyzmw...@mail.gmail.com>
and subject line Re: Bug#807785: chromium: caches certificate chains
has caused the Debian Bug report #807785,
regarding chromium: caches certificate chains
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
807785: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807785
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: chromium
Version: 47.0.2526.73-1
Severity: normal
Chromium can cache certificate chains, which results in some sites that
actually have up-to-date certificates being listed as having invalid
SHA-1 certificates. While this may be a valid optimization, it should
follow the "as if" rule: the behavior must be exactly as if Chromium
actually validated the entire chain every time.
I encountered this with https://securityheaders.io/. It caused me and
the maintainer of that site headaches trying to figure out why it was
broken. Please fix Chromium not to cache certificate chains unless it
can do so correctly every time.
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=es_US.UTF-8, LC_CTYPE=es_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages chromium depends on:
ii libasound2 1.0.29-1
ii libatk1.0-0 2.18.0-1
ii libavcodec-ffmpeg56 7:2.8.3-1
ii libavformat-ffmpeg56 7:2.8.3-1
ii libavutil-ffmpeg54 7:2.8.3-1
ii libc6 2.21-4
ii libcairo2 1.14.4-1
ii libcups2 2.1.2-1
ii libdbus-1-3 1.10.6-1
ii libexpat1 2.1.0-7
ii libfontconfig1 2.11.0-6.3
ii libfreetype6 2.6.1-0.1
ii libgcc1 1:5.3.1-3
ii libgdk-pixbuf2.0-0 2.32.2-1
ii libglib2.0-0 2.46.2-1
ii libgnome-keyring0 3.12.0-1+b1
ii libgtk2.0-0 2.24.28-1
ii libjpeg62-turbo 1:1.4.1-2
ii libnspr4 2:4.11-1
ii libnspr4-0d 2:4.11-1
ii libnss3 2:3.21-1
ii libnss3-1d 2:3.21-1
ii libpango-1.0-0 1.38.1-1
ii libpangocairo-1.0-0 1.38.1-1
ii libpci3 1:3.3.1-1
ii libspeechd2 0.8-7
ii libsrtp0 1.4.5~20130609~dfsg-1.1
ii libstdc++6 5.3.1-3
ii libx11-6 2:1.6.3-1
ii libxcomposite1 1:0.4.4-1
ii libxcursor1 1:1.1.14-1+b1
ii libxdamage1 1:1.1.4-2+b1
ii libxext6 2:1.3.3-1
ii libxfixes3 1:5.0.1-2+b2
ii libxi6 2:1.7.5-1
ii libxml2 2.9.2+zdfsg1-4
ii libxrandr2 2:1.5.0-1
ii libxrender1 1:0.9.9-2
ii libxslt1.1 1.1.28-2.1
ii libxss1 1:1.2.2-1
ii libxtst6 2:1.2.2-1+b1
ii x11-utils 7.7+3
ii xdg-utils 1.1.1-1
chromium recommends no packages.
Versions of packages chromium suggests:
pn chromium-l10n <none>
-- no debconf information
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
On Sat, Dec 12, 2015 at 9:41 PM, brian m. carlson wrote:
> On Sat, Dec 12, 2015 at 09:20:13PM -0500, Michael Gilbert wrote:
>> control: tag -1 upstream
>>
>> Since this isn't a packaging issue, please report this upstream.
>
> Please feel free to forward it there. I report bugs to Debian so I
> don't have to have an account on every bug tracker on the planet. The
> upstream bug tracker also forces me to use my Gmail address, which I
> don't actually want to use.
I have no interest in this problem. You're wasting my time if you're
not willing to to debug or sheppard it yourself.
Best wishes,
Mike
--- End Message ---
