Control: found -1 1.16-1 Control: tag -1 + upstream Control: clone -1 -2 Control: severity -1 wishlist Control: retitle -2 wget manpage doesn't warn that certificate revocation lists are not checked
Hi, [hoping I got all the Control stanzas right..] Vincent Lefevre wrote (28 Apr 2014 09:11:42 GMT) : > It's a bug because it doesn't behave as documented [...] OK, thanks for the clarification. Then, keeping #745836 as a wishlist bug to track the missing feature, and creating a clone about the more important (and more likely to be fixed here) documentation bug. Regarding the missing feature, you might have better chances of seeing this resolved by reporting it upstream :) (I've checked there [1] and could not find it.) [1] https://savannah.gnu.org/bugs/?group=wget > This makes the user (who cares about certificate validity) assume that > without the --no-check-certificate option, the site's authenticity is > guaranteed, while this is currently absolutely wrong with the lack of > revocation checking. There's no such thing as "guaranteed" wrt. IT security in general, and even less so when one is relying on known-broken systems like the CA cartel to authenticate remote parties. Therefore, I personally don't think that the doc bug should be RC, but I'm not interested in severity ping-pong, so I'll let it to the maintainer to judge, and to the release team to decide if it should be ignored for Jessie. Cheers, -- intrigeri -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org