On Thu, 14 Jun 2012 07:40:50 -0500 Josh Bressers <j...@bress.net> wrote:
> Hello all, > > I suspect this is going to be a weird problem to figure out. > > Relevation password manager > https://admin.fedoraproject.org/pkgdb/applications/Revelation > Password Manager > > Has been found to be unsafe. > http://knoxin.blogspot.co.uk/2012/06/revelation-password-manager-considered.html > > I would hope it gets fixed at some future point, but something should > probably be done in the short term. > > I'm not sure what Fedora precedent is on issues like this. We can't > really revoke such a package, and we also want to give users a warning > to use a different password manager (I'm not entirely sure how to best > do this). > > Does anyone have any thoughts? Sad ones. ;( Possible options: - Push out an update that adds a big warning dialog to the package pointing to the issues - Obsolete the package with another password manager thats more secure. This is not very ideal though as it's unlikely to have the same features and so on. - Update the package with a readme, etc on the issue, replacing the binary. This is non ideal as it's removing functionality (all be it insecure functionality). I guess I would say the first option is the best, but thats something that the maintainer(s) of the package should put together, or at least agree with someone creating. kevin
signature.asc
Description: PGP signature
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
