Bug#603450: Is 603450 realy release critical?
On Wed, 08 Dec 2010 08:45:30 +0100, Alexander Reichle-Schmehl wrote: There's patch floating arround, which has a major regression: It doesn't work for users of self signed certificates. FWIW: As an offlineimap user I'd be very unhappy if it stopped working with my IMAP server with its self-signed certificate. Cheers, gregor -- .''`. http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4 : :' : Debian GNU/Linux user, admin, developer - http://www.debian.org/ `. `' Member of VIBE!AT SPI, fellow of Free Software Foundation Europe `-NP: Bob Dylan: Cold Irons Bound signature.asc Description: Digital signature
Bug#603450: Is 603450 realy release critical?
On Wed, Dec 08, 2010 at 08:45:30AM +0100, Alexander Reichle-Schmehl wrote: #603450 is a bug (currently with severity grave, Justification: user security hole), as offlineimap does no ssl certificate checking. Could you explain why it should be acceptable to announce secure operation but ignore the very basic principles of it? #564690 is an old example of the same problem. There's patch floating arround, which has a major regression: It doesn't work for users of self signed certificates. From what I've seen in the bug, even you should be able to fix that. Bastian -- ... bacteriological warfare ... hard to believe we were once foolish enough to play around with that. -- McCoy, The Omega Glory, stardate unknown -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#603450: Is 603450 realy release critical?
Hi! Am 08.12.2010 10:37, schrieb Bastian Blank: #564690 is an old example of the same problem. So is #547092 (which has severity important). And I'm sure if we dig deep enough, we can find others as well. There's patch floating arround, which has a major regression: It doesn't work for users of self signed certificates. From what I've seen in the bug, even you should be able to fix that. If I'm ever interested in your opinion, I let you know. Alexander -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#603450: Is 603450 realy release critical?
* Bastian Blank [2010-12-08 10:37 +0100]: On Wed, Dec 08, 2010 at 08:45:30AM +0100, Alexander Reichle-Schmehl wrote: #603450 is a bug (currently with severity grave, Justification: user security hole), as offlineimap does no ssl certificate checking. Could you explain why it should be acceptable to announce secure operation but ignore the very basic principles of it? #564690 is an old example of the same problem. Could you explain how an example of a bug with a severity set by yourself supports your point, considering that the maintainer of this package only agreed about the bugs severity because it was a regression? Carsten -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#603450: Is 603450 realy release critical?
Hi release manager, #603450 is a bug (currently with severity grave, Justification: user security hole), as offlineimap does no ssl certificate checking. While I agree, that this is a really important feature, which should be fixed, I'm wondering, if that really is release critical. There's patch floating arround, which has a major regression: It doesn't work for users of self signed certificates. Should this bug be seen as of release critical severity, would you therefore at least consider tagging it squeeze-ignore? Best Regards, Alexander -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
