Allow encfs into jessie?

To: debian-devel@lists.debian.org
Cc: 736066@bugs.debian.org
Subject: Allow encfs into jessie?
From: Jan Niehusmann <jan@gondor.com>
Date: Thu, 11 Sep 2014 12:12:08 +0200
Message-id: <[🔎] 20140911101208.GA17234@x61s.reliablesolutions.de>

Hi,

due to bug #736066, encfs was removed from jessie.

I'd think it would be better to allow encfs into jessie for the
following reasons:

The bug report is about security issues, but these are not security
issues of the software (as in: you can somehow hack into the computer
wich is running the software), but of the encryption algorithms used.

So it can be compared to a package implementing md5: Yes, it's known
that md5 is not secure any more, but that's not a reason to remove all
packages implementing md5 from debian.

One could argue that encfs shouldn't be used any longer to encrypt
files, and therefore encfs is just not useful and can be removed.

But many users will have legacy installations using encfs encrypted file
systems, and will be surprised that they can't access them any more from
jessie. So removing encfs will cause major inconveniences to some of our
users.

Therefore, I propose that encfs should be allowed into jessie.

(What would be the right way to do that? Lower the severtiy of the bug?
Add a jessie-ignore tag?)

To notify users about the potential security issue, a NEWS file could
be added, or one could add a warning to the output of the encfs command.

Regards,
Jan

Reply to:

Follow-Ups:
- Re: Allow encfs into jessie?
  - From: Eduard Bloch <edi@gmx.de>

Prev by Date: Re: Seeking help with OpenVPN scripts and systemd
Next by Date: Re: upgrades must not change the installed init system [was: Re: Cinnamon environment now available in testing]
Previous by thread: Bug#761158: ITP: kvmcs -- kvm in client/server environment
Next by thread: Re: Allow encfs into jessie?
Index(es):
- Date
- Thread