Re: Bug#962407: Bug#954089: libplack-perl: Please verify server identity via SSL
- To: 962407@bugs.debian.org
- Cc: debian-perl@lists.debian.org
- Subject: Re: Bug#962407: Bug#954089: libplack-perl: Please verify server identity via SSL
- From: Damyan Ivanov <dmn@debian.org>
- Date: Thu, 26 May 2022 12:28:16 +0000
- Message-id: <[🔎] Yo9yYOJVWzPlzc6N@ktnx.net>
- In-reply-to: <[🔎] Yo6QaV8x7iQEN8ek@jadzia.comodo.priv.at>
- References: <20200517153933.x444xmsx7pwjm6ov@fbd7c150-3361-11e8-8c11-5badabdd4a8d> <CAFHYt55BmsvEZAMTnUDot6AxCSFk6FYg4DGtGMXBagts_L+_-A@mail.gmail.com> <20200520220220.7s3bkjxv4ykcrk5r@urchin.earth.li> <20200524163854.eus6rdpbdapvv2xe@urchin.earth.li> <20200524180028.GB6846@jadzia.comodo.priv.at> <20200607162221.l5gnwrpwbydbdznh@urchin.earth.li> <CAFHYt55BmsvEZAMTnUDot6AxCSFk6FYg4DGtGMXBagts_L+_-A@mail.gmail.com> <20200607164541.nebj25hvjnthtoc2@urchin.earth.li> <CAFHYt55BmsvEZAMTnUDot6AxCSFk6FYg4DGtGMXBagts_L+_-A@mail.gmail.com> <[🔎] Yo6QaV8x7iQEN8ek@jadzia.comodo.priv.at>
-=| gregor herrmann, 25.05.2022 22:24:09 +0200 |=-
> On Sun, 07 Jun 2020 17:45:41 +0100, Dominic Hargreaves wrote:
>
> > Correction, given the amount of time that's passed and that I'm not
> > even sure if the person who responded negatively on the previous
> > issue speaks for the current maintainers, I have opened a new issue:
> >
> > https://github.com/chansen/p5-http-tiny/issues/134
>
> Revisiting this issue now, the state seems to be:
>
> The upstream ticket was closed with
>
> "On reflection, we shouldn't make this change for backwards compatibility."
>
> So I guess we are back to the point where we have to discuss if we
> want to make the change on the Debian side and carry the patch (and
> keep the pieces if something breaks).
>
> I think we had a tendence to say "this change makes sense" and "it
> doesn't look like huge breakage ahead" but I guess someone need to
> pick up this issue and take a deeper look.
I think we should make the change in Debian despite upstream's
decision.
Anything that breaks was already insecure and keeping it that way is
actually a disservice.
If I understand correctly we are talking for a fix in unstable that
would propagate to the next stable release in the usual manner.
Contrary to a security update, this gives plenty of time for users for
tests.
-- Damyan
Reply to: