Bug#790324: luakit: Improve security level, dubious features

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#790324: luakit: Improve security level, dubious features
From: Philippe Grégoire <gregoirep@hotmail.com>
Date: Sat, 27 Jun 2015 21:27:34 -0400
Message-id: <[🔎] 20150628012734.23069.82729.reportbug@localhost>
Reply-to: Philippe Grégoire <gregoirep@hotmail.com>, 790324@bugs.debian.org

Package: luakit
Version: 2012.09.13-r1-4
Severity: serious

Dear Maintainer,

Looking at globals.lua, I was considering that the low level of security was
due to the (somewhat) aged package. Now, looking at the changes applied by the
'ugh' patch, I see some of these artifacts are not provided upstream, but rather
by the maintainer. From what I understood from an earlier bug report, these
changes were made due to not reproducible builds. Now, before trying to enter
testing again, I think the following points should be considered.


Search engines

All search engines, except github, are specified using an unsecured connexion
although all the servers do. The 'ugh' patch _downgrades_ them, actually. I am
also wondering why was Netflix added, since, afaik, it doesn't work out of
the box.


x509 certificates

Although debatable, support for user-provided x509 certificates is risky.
Personally, I consider certificates installed system-wide (read: by root) much
more trustable. For one, and simply, they cannot be modified by a rogue process
ran by the user.

Regarding 'soup.ssl_strict = false', I don't think I need to explain.


Looking up /etc/hosts

I am pretty sure this is the job of /etc/nsswitch.conf


Thank you


-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 4.0.0-2-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages luakit depends on:
ii  libatk1.0-0                         2.16.0-2
ii  libc6                               2.19-18
ii  libcairo2                           1.14.2-2
ii  libfontconfig1                      2.11.0-6.3
ii  libfreetype6                        2.5.2-4
ii  libgdk-pixbuf2.0-0                  2.31.4-2
ii  libglib2.0-0                        2.44.1-1
ii  libgtk2.0-0                         2.24.28-1
ii  libjavascriptcoregtk-1.0-0          2.4.9-2
ii  liblua5.1-0                         5.1.5-7.1
ii  libpango-1.0-0                      1.36.8-3
ii  libpangocairo-1.0-0                 1.36.8-3
ii  libpangoft2-1.0-0                   1.36.8-3
ii  libsoup2.4-1                        2.50.0-2
ii  libsqlite3-0                        3.8.10.2-1
ii  libunique-1.0-0                     1.1.6-5
ii  libwebkitgtk-1.0-0                  2.4.9-2
ii  lua-filesystem [lua5.1-filesystem]  1.6.2-3

luakit recommends no packages.

luakit suggests no packages.

-- no debconf information

Reply to:

Follow-Ups:
- Bug#790324: luakit: Improve security level, dubious features
  - From: Mason Larobina <mason.larobina@gmail.com>

Prev by Date: Bug#790281: seyon: FTBFS with glibc 2.21 and gcc-5
Next by Date: Bug#790324: luakit: Improve security level, dubious features
Previous by thread: Bug#790281: seyon: FTBFS with glibc 2.21 and gcc-5
Next by thread: Bug#790324: luakit: Improve security level, dubious features
Index(es):
- Date
- Thread