Your message dated Thu, 19 May 2016 13:29:51 +0000
with message-id <[email protected]>
and subject line Re: [Pkg-privacy-maintainers] Bug#760308: add https for
additional, optional security layer
has caused the Debian Bug report #760308,
regarding "add https for additional, optional security layer"
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
760308: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760308
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
package: onionshare
tags: security
severity: serious
x-debbugs-cc: [email protected], Micah Lee <[email protected]>
Hi,
first of all: thanks for all your work on anonymity related tools! Much
appreciated!
I've just sponsored Ulrikes onionshare 0.5-1 package to Debian sid, where it
currently awaits NEW processing (=ftpmasters checking whether a new package is
fine).
Ulrike told me that onionshare only sets up a http webserver, not an https
one, which I consider a security issue of such a severity, that I don't think
we should ship onionshare as part of the Debian jessie release. (As it doesn't
match the quality standards we expect in Debian.)
Thus this bug report, which will prevent the migration of onionshare to
Jessie.
Micah, if this observation is wrong (a quick look at the code didn't support
this though), please tell. I'd love to close this bug immediatly ;-)
cheers,
Holger, who would love to see onionshare in Jessie!
(As the package is not yet in the archive, this bugreport will first be
assigned to the bugs of packages with no maintainer and automatically be
reassigned to onionshare, once it has entered the archive....)
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
On Thu, May 19, 2016 at 03:11:08PM +0200, Nicolas Braud-Santoni wrote:
> Control: tags -1 moreinfo
> Holger, what is the expected security improvement?
btw, you provided the subject of the bug, thats good. But I still had to
lookup the bug to see which package was affected and thus what this was
about…
> It's not as if a self-signed cert would make impersonating the onion service
> harder, and forward-secrecy on the exchange is provided by the Tor circuit
> (using the ntor KEX on Curve25519, if I'm not mistaken).
more or less agreed… closing the bug.
--
cheers,
Holger
signature.asc
Description: Digital signature
--- End Message ---
