severity 662960 wishlist thanks The bug have been added tag "security", which is in sync with its TLS deficiencies. However (as you noticed) "Severity" values (while they might look innocently like plain English) have quite specific meanings in BTS, which sometimes might be at odds with their common language usages.
Because of that "Severity" is not just a number from 0-5 indicating how much one would like for bug to be fixed, but something else. "Severity: important" would indicate that package is just one small step away from "rendering it completely unusable to everyone", which looks too harsh to me in this case (as in many cases ssmtp is used only for non-TLS plaintext SMTP delivery on LAN from satellite machines to main MTA, which would then speak TLS to outside world etc.) "Severity: wishlist" however (as opposed to "normal") subtly indicates that there is some functionality that is *missing*, and that someone needs to think it over and write it, and that it might be a more complicated task and probably not an one-line-fix (and thus it would probably left to upstream to fix it, as Debian maintainer in most cases won't be fixing it h[im/er]self unless upstream is dead and someone else provides a verified good patch). It also indicates it might be due to design decisions, like here. I do agree completely with you that package should strongly indicate in its docs and description about it's TLS deficiencies. If someone would write such a documentation patch, perhaps it might have a chance to be included. [ As a side note, even with certificate checking in place there are a lot of problems in todays "zillion untrusted CAs which we trust anyway" security model, and even more so if you move from web world (where clients try to be secure, and even people might sometimes check basic credentials) to unattended MTA world where almost nobody does, and vast majority of MTAs will simply by default silently downgrade to plaintext if they think anything might be problematic with TLS support etc. ] -- Opinions above are GNU-copylefted.
