[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#486081: marked as done (ssl-cert: Debconf abuse: is there *really* a need to stop installation to tell users about certificate replacement?)

Your message dated Fri, 13 Jun 2008 18:38:32 +0200
with message-id <20080613163832.GJ29038@mykerinos.kheops.frmug.org>
and subject line Re: Bug#486081: ssl-cert: Debconf abuse: is there *really* a need to stop installation to tell users about certificate replacement?
has caused the Debian Bug report #486081,
regarding ssl-cert: Debconf abuse: is there *really* a need to stop installation to tell users about certificate replacement?
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
486081: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=486081
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: ssl-cert
Version: 1.0.20
Severity: normal

Critical level debconf notes should be kept for things that users *must
absolutely see*.

The text of the note you added in the last release of the package says
that....the note can be ignored if one does not know what it is about.

It means that the package will handle the certificate rempalcement gently.
So I really see no reason to interrupt all upgrades (including etch->lenny
upgrades?) for this.

Such text could even be seen as belonging to NEWS.Debian and not a debconf
note.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ssl-cert depends on:
ii  adduser                      3.108       add and remove users and groups
ii  debconf [debconf-2.0]        1.5.22      Debian configuration management sy
ii  openssl                      0.9.8g-10.1 Secure Socket Layer (SSL) binary a
ii  openssl-blacklist            0.3.2       list of blacklisted OpenSSL RSA ke

ssl-cert recommends no packages.

-- debconf information:
  make-ssl-cert/vulnerable_prng:
  make-ssl-cert/title:
  make-ssl-cert/ouname: Direction de la qualité des moules-frites
  make-ssl-cert/hostname: localhost
  make-ssl-cert/organisationname: Ministère de la Culture du Mali
  make-ssl-cert/statename: Valais
  make-ssl-cert/localityname: Montréal
  make-ssl-cert/countryname: FR
  make-ssl-cert/email: webmaster@localhost

--- End Message ---
--- Begin Message --- 
Quoting Stefan Fritsch (sf@sfritsch.de):

> This was how the security upgrades for the ssl issue were handled and I
> see no reason to deviate in ssl-cert. It is likely that the ssl-cert
> update will be in a etch point release before lenny release (but
> openssl-blacklist needs to be uploaded to stable first). Therefore
> etch->lenny upgrades are not an issue.
> 
> For people who actually use the certificate, it is important to see the
> message. Otherwise they might (or at least should) think that there was a
> MITM attack in progress. But not all users of ssl-cert will actually use
> the default certificate, hence the last line of the text.


OK, fair enough. Hence closing my bug report.

Attachment: signature.asc
Description: Digital signature


--- End Message ---
Reply to: