Bug#790324: luakit: Improve security level, dubious features
Package: luakit
Version: 2012.09.13-r1-4
Severity: serious
Dear Maintainer,
Looking at globals.lua, I was considering that the low level of security was
due to the (somewhat) aged package. Now, looking at the changes applied by the
'ugh' patch, I see some of these artifacts are not provided upstream, but rather
by the maintainer. From what I understood from an earlier bug report, these
changes were made due to not reproducible builds. Now, before trying to enter
testing again, I think the following points should be considered.
Search engines
All search engines, except github, are specified using an unsecured connexion
although all the servers do. The 'ugh' patch _downgrades_ them, actually. I am
also wondering why was Netflix added, since, afaik, it doesn't work out of
the box.
x509 certificates
Although debatable, support for user-provided x509 certificates is risky.
Personally, I consider certificates installed system-wide (read: by root) much
more trustable. For one, and simply, they cannot be modified by a rogue process
ran by the user.
Regarding 'soup.ssl_strict = false', I don't think I need to explain.
Looking up /etc/hosts
I am pretty sure this is the job of /etc/nsswitch.conf
Thank you
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 4.0.0-2-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages luakit depends on:
ii libatk1.0-0 2.16.0-2
ii libc6 2.19-18
ii libcairo2 1.14.2-2
ii libfontconfig1 2.11.0-6.3
ii libfreetype6 2.5.2-4
ii libgdk-pixbuf2.0-0 2.31.4-2
ii libglib2.0-0 2.44.1-1
ii libgtk2.0-0 2.24.28-1
ii libjavascriptcoregtk-1.0-0 2.4.9-2
ii liblua5.1-0 5.1.5-7.1
ii libpango-1.0-0 1.36.8-3
ii libpangocairo-1.0-0 1.36.8-3
ii libpangoft2-1.0-0 1.36.8-3
ii libsoup2.4-1 2.50.0-2
ii libsqlite3-0 3.8.10.2-1
ii libunique-1.0-0 1.1.6-5
ii libwebkitgtk-1.0-0 2.4.9-2
ii lua-filesystem [lua5.1-filesystem] 1.6.2-3
luakit recommends no packages.
luakit suggests no packages.
-- no debconf information
Reply to: