[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable

Hi Mike,

thanks for the fast reply.

On Fri, Aug 16, 2019 at 10:10:27AM +0000, Mike Gabriel wrote:
> > Another improvement of the fetch-ldap-cert script shipped with d-e-c
> > 2.10.67 is the use of independent conditions for host and LTSP chroot
> > (instead of the global condition introduced with commit f8f436e); but
> > then the drawback caused by this change for LTSP chroots has also been
> > dealt with via d-e-c 2.10.66 fixes.
> > 
> > Mike, please comment.
> Futhermore, we now entirely fixed backwards compatibility (new Debian Edu
> clients running against old Debian Edu TJENERs). This was the main flaw of
> the original Debian 10.0 implementation. You can't use Debian Edu 10 clients
> on a network running on a TJENER from 9.x or 8.x.
> While investigating this, Petter pointed us to the security flaw of always
> updating the LDAP server certificate on clients. Only deploying the LDAP
> server cert once protects the user against password sniffing, if someone
> malign takes over the network.

Sure, but this has already been fixed (somehow) in d-e-c 2.10.66. So if 
the stable release team disagrees w/ 2.10.67, d-e-c 2.10.66 might be a 
fallback option.

> Thus, fetch-ldap-cert must get into buster IMHO, it's a rewrite and it now
> is easy to read,

Sure, you improved it quite a lot :)


Attachment: signature.asc
Description: PGP signature

Reply to: