Control: forwarded -1 https://github.com/HenriWahl/Nagstamon/issues/302 Control: tags -1 + upstream confirmed
Hi Paul, On Tue, 25 Apr 2017 11:27:01 +0800 Paul Wise <p...@debian.org> wrote: > Severity: serious > Tags: security > > When I run nagstamon from a terminal against the Debian nagios I get a > warning about unverified and thus insecure HTTPS requests being made: > > ... > /usr/lib/python3/dist-packages/urllib3/connectionpool.py:845: > InsecureRequestWarning: Unverified HTTPS request is being made. Adding > certificate verification is strongly advised. See: > https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings > Â InsecureRequestWarning) Now stuff is getting interesting... I think upstream is thinking different about the severity of this behaviour. In other parts of the code, these urllib3 warnings are explicitly being disabled: https://github.com/HenriWahl/Nagstamon/blob/master/Nagstamon/Servers/Generic.py#L24 So it just doesn't get noticed there although the behaviour is the same. This explicit neglection of verifying HTTPS connections was added in https://github.com/HenriWahl/Nagstamon/issues/126 which also had a Debian bug at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774687 There also is already an upstream equivalent of this bug report: https://github.com/HenriWahl/Nagstamon/issues/302 Now is the current behaviour really a policy violation (if so, please help me by pointing to the correct source for that) or would you be open to lowering the severity of this bug? Regards, -- Moritz Schlarb Unix-Gruppe | Systembetreuung Zentrum für Datenverarbeitung Johannes Gutenberg-Universität Mainz Raum 01-321 - Tel. +49 6131 39-29441 OpenPGP Fingerprint: DF01 2247 BFC6 5501 AFF2 8445 0C24 B841 C7DD BAAF
<<attachment: schlarbm.vcf>>