On 08/03/2015 10:41 AM, Tristan Seligmann wrote: > Unfortunately there are some significant challenges with 2.0+. The > primary issue is the dependency on tlslite, which was removed from > Debian previously due to being insecure and unmaintained. In addition, > quite a bit of the certificate handling code does things incorrectly > (see eg. the certificate chain verification code[1] that does not > check the certificate purpose, allowing anyone with a valid cert to > sign a fraudulent cert as if they were a CA). > > I would very much welcome help with these issues, but be warned there > is most likely a fair amount of work involved in either rewriting the > cert-handling code to use another library (probably > python-openssl/python-cryptography), or resurrecting and maintaining > the tlslite package. > > [1] > https://github.com/spesmilo/electrum/blob/master/lib/paymentrequest.py#L119
If that's the case, does it even remain feasible to keep this in Debian with a year-old version that has its own incompatibilities with future versions and its own problems? Based solely on what you've said (a dependency doesn't exist anymore, other handling codes being bad and thereby introducing a MITM problem, etc.), it *sounds* like it should be removed... Thomas -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
