On Mon, May 06, 2019 at 12:00:22PM -0400, Sam Hartman wrote:
>
> Package: ftp.debian.org
> Severity: normal
>
> Hi. As discussed in
> https://cointelegraph.com/news/phishing-attack-on-electrum-wallet-nets-hacker-almost-1-million-in-hours-report
> the version of electrum in sid is vulnerable to mallware and has been
> disabled by the electrum servers. So basically the version in sid is
> only useful for getting your bitcoin phished. At least until this
> version is updated it should be removed. See #921688 for details.
We have poor means for people to detect that a package has been removed
from the archive (and needs local removal); an alternative might be to
NMU in sid so that it sys.exit()s with a message stating that running
Electrum is dangerous and has been enabled and only proceed with the
removal in a few weeks?
Cheers,
Moritz
