Re: Bug#954089: libplack-perl: Please verify server identity via SSL
-=| Felix Lechner, 18.03.2020 04:05:22 -0700 |=-
> Hi,
>
> On Wed, Mar 18, 2020 at 3:18 AM Damyan Ivanov <dmn@debian.org> wrote:
> >
> > Fixing the root of the problem seems better for me for two reasons:
>
> I wish I had checked with the Debian Perl team before filing the bugs.
That would have been nice, but there's no real harm done. The problem
is real and needs to be reported and fixed one way or another. Thank
you for caring.
> > we may have a chance convincing
> > HTTP::Tiny's author to flip the default
>
> Please note the module is part of Perl core. Their support may be needed also.
Certainly.
-=| gregor herrmann, 18.03.2020 17:35:11 +0100 |=-
> On Wed, 18 Mar 2020 12:18:34 +0200, Damyan Ivanov wrote:
>
> > Fixing the root of the problem seems better for me for two
> > reasons:
> >
> > 1) fix what is broken instead of working around it in numerous places
> > 2) consumers outside of Debian would benefit too
>
> I agree, also with the rest of your mail. Thanks for moving this forward!
>
> > But to fully measure the impact, it would be nice to have the number
> > of failing packages built with a patched HTTP::Tiny.
>
> I have one small concern: As the change is about checking remote SSL
> certs, and tests don't/can't/must not call out to the internet, is it
> possible that we won't really catch all potential issues?
Noted. The test rebuilds should be done without the usual isolation
from the Internet.
I guess a closer inspection of the affected packages is needed.
-- dam
Reply to: