Re: Bug#954089: libplack-perl: Please verify server identity via SSL

To: Dominic Hargreaves <dom@earth.li>, Damyan Ivanov <dmn@debian.org>, 954089@bugs.debian.org, debian-perl@lists.debian.org
Subject: Re: Bug#954089: libplack-perl: Please verify server identity via SSL
From: Dominique Dumont <dod@debian.org>
Date: Sun, 07 Jun 2020 18:50:37 +0200
Message-id: <[🔎] 2896269.JDDWMDI2rG@ylum>
Reply-to: dod@debian.org
In-reply-to: <20200524180028.GB6846@jadzia.comodo.priv.at>
References: <CAFHYt55BmsvEZAMTnUDot6AxCSFk6FYg4DGtGMXBagts_L+_-A@mail.gmail.com> <20200524163854.eus6rdpbdapvv2xe@urchin.earth.li> <20200524180028.GB6846@jadzia.comodo.priv.at>

On Sunday, 24 May 2020 20:00:28 CEST gregor herrmann wrote:
> > So, what are people's thoughts? Do we want to take this position
> > and change the default in Debian? Extending distribution to debian-perl
> > for wider visibility.
> 
> A tentative "yes" from me :)

A more firm "yes" from me ;-)

> Maybe we should seek communication with upstream in
> https://github.com/chansen/p5-http-tiny/issues/68 (or a new issue
> since that one is closed) as a next step?

I do not really agree with the rationale of  https://github.com/chansen/p5-http-tiny/issues/68. Most people won't make an informed decision because they 
won't realize that TLS is disabled. The only way for people to make an 
informed decision is to exit on error when verify_ssl is not defined, which is 
not really user friendly ;-)

I think TLS should be verified by default, even more so in Debian because our 
list of trusted CA is regularly updated.

All the best

Reply to:

Prev by Date: Re: Bug#954089: libplack-perl: Please verify server identity via SSL
Next by Date: Re: Bug#962318: libmojolicious-perl: build fails on IPv6-only buildds
Previous by thread: Re: Bug#954089: libplack-perl: Please verify server identity via SSL
Next by thread: Re: Bug#962318: libmojolicious-perl: build fails on IPv6-only buildds
Index(es):
- Date
- Thread