[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Allow encfs into jessie?

Hallo,
* Jan Niehusmann [Thu, Sep 11 2014, 12:12:08PM]:

> The bug report is about security issues, but these are not security
> issues of the software (as in: you can somehow hack into the computer
> wich is running the software), but of the encryption algorithms used.
> 
> So it can be compared to a package implementing md5: Yes, it's known
> that md5 is not secure any more, but that's not a reason to remove all
> packages implementing md5 from debian.
...
> Therefore, I propose that encfs should be allowed into jessie.
> 
> (What would be the right way to do that? Lower the severtiy of the bug?
> Add a jessie-ignore tag?)
> 
> To notify users about the potential security issue, a NEWS file could
> be added, or one could add a warning to the output of the encfs command.

In fact, that is what I considered as workaround, and even harder: add a
debconf message with priority critical telling exactly those details.

Unless someone cries out loudly I will continue with this plan in a
couple of days.

Regards,
Eduard.
Reply to: