On Sun, 10 Feb 2013, Thijs Kinkhorst wrote: > Hi Alex, > > > > All agreed... but would you consider to add some big warnings about that > > > fact? :) > > Thats something for the release notes or readme.debian. Feel free to send a > > patch. > > I do not believe the issue should mean that NRPE is so critically flawed that > it should be removed from Wheezy: as sketched there are quite some ways to > use > NRPE safely, including other ways to do encryption. Also, when not allowing > command line parameters in the protocol (the default), for many environment > the existing network-level safeguards and local firewalls and network acl's > may provide adequate protection. So the key to this bug is to add > documentation that this specific feature is not to be relied on, as you said. > > I've added a patch which I think does this. It adds a warning in > README.Debian, it rewrites the shipped SECURITY file to convert the mention > of > the facility into a warning against it, and doesn't ship the README.SSL > anymore. I believe it should then be clear enough what the status of the > feature is. > > I don't think that adding something to the release notes is appropriate per > se > since this is not a new thing for wheezy at all. > > If this can be applied in unstable/wheezy, I believe the bug can be > downgraded > to a non-RC bug about the broken functionality. > > Please consider to apply and upload. I'm happy to NMU if you prefer, please > let me know. Thanks, that was something like I had in mind. I'll apply this patch and upload tomorrow.
Alex
pgpTjKtuaka76.pgp
Description: PGP signature
