On Tue, 30 Apr 2019 10:59:16 -0400 Sam Hartman <lea...@debian.org> wrote: > > I realize that we normally don't care about packages only in sid, but > the version of electrum in sid is apparently only useful to funnel your > bitcoin to attackers. > The issue is that versions prior to 3.3 are vulnerable to mallware, and > as a result all the public servers refuse to talk to the version in sid, > but rogue servers are happy to take your credentials and money. > > The maintainer has not addressed this bug since Feb 7. > > I don't have time to go look into the package and upgrade before leaving > on a trip tomorrow. > > If we can't get this fixed really quick would ftpmaster accept a request > to remove the package? >
FTR, I looked at 3.3.4 and it requires 2 new python modules that are not yet in the archive: aiohttp_socks and aiorpcx
My work on the package is at https://salsa.debian.org/bigon/electrum
