Re: Is 603450 realy release critical?
On Wed, Dec 08, 2010 at 08:45:30AM +0100, Alexander Reichle-Schmehl wrote: #603450 is a bug (currently with severity grave, Justification: user security hole), as offlineimap does no ssl certificate checking. Could you explain why it should be acceptable to announce secure operation but ignore the very basic principles of it? #564690 is an old example of the same problem. There's patch floating arround, which has a major regression: It doesn't work for users of self signed certificates. From what I've seen in the bug, even you should be able to fix that. Bastian -- ... bacteriological warfare ... hard to believe we were once foolish enough to play around with that. -- McCoy, The Omega Glory, stardate unknown -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101208093723.ga30...@wavehammer.waldi.eu.org
Re: Is 603450 realy release critical?
Hi! Am 08.12.2010 10:37, schrieb Bastian Blank: #564690 is an old example of the same problem. So is #547092 (which has severity important). And I'm sure if we dig deep enough, we can find others as well. There's patch floating arround, which has a major regression: It doesn't work for users of self signed certificates. From what I've seen in the bug, even you should be able to fix that. If I'm ever interested in your opinion, I let you know. Alexander -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4cff593b.5010...@debian.org
Re: Is 603450 realy release critical?
* Bastian Blank [2010-12-08 10:37 +0100]: On Wed, Dec 08, 2010 at 08:45:30AM +0100, Alexander Reichle-Schmehl wrote: #603450 is a bug (currently with severity grave, Justification: user security hole), as offlineimap does no ssl certificate checking. Could you explain why it should be acceptable to announce secure operation but ignore the very basic principles of it? #564690 is an old example of the same problem. Could you explain how an example of a bug with a severity set by yourself supports your point, considering that the maintainer of this package only agreed about the bugs severity because it was a regression? Carsten -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101208110035.ga22...@furrball.stateful.de
Is 603450 realy release critical?
Hi release manager, #603450 is a bug (currently with severity grave, Justification: user security hole), as offlineimap does no ssl certificate checking. While I agree, that this is a really important feature, which should be fixed, I'm wondering, if that really is release critical. There's patch floating arround, which has a major regression: It doesn't work for users of self signed certificates. Should this bug be seen as of release critical severity, would you therefore at least consider tagging it squeeze-ignore? Best Regards, Alexander -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101208074530.gb30...@melusine.alphascorpii.net