Re: Greetings from dash - Follow up

[Russ Allbery <rra@debian.org>]

Dash Press <press@dash.org> writes:

> Hey guys
> i send you an email recently about our
> “Security Paper” Ver 0.1.7
> https://dashpay.atlassian.net/wiki/x/CYCHBQ

> as a follow up i wanted to ask for future removal of the MD5 and SHA1
> checksums as emphasized in chapter I.5.5.2.1.3 due to security risks. In
> addition please mention Apt-Transport-Tor integration for future Debian
> releases (chapter II.3.1#HINT 2). And finally please ask to remove HTTP
> mirrors and only provide HTTPS connections for downloads instead (chapter
> I.5.5.2#ATTENTION).

Hi!

You seem to have mistaken the Debian Project for a commercial company.
This isn't how Debian works.

If you find those things interesting to work on, you are welcome and
encouraged to join the relevant team and work on those tasks yourself,
after getting consensus from the other members of the team.  (This will
require active participation in the project, not just writing documents on
some closed-source wiki site that apparently have *six-deep nested
sections*.)

There are a variety of reasons why use of HTTPS is not as compelling as
you might think.  It's been much-discussed in the project.  Some people
are interested in it and may work on making it happen, but it's not really
a project priority and isn't likely to become one, since the benefits are
fairly marginal and debatable.

In any case, if you would like to discuss these topics, please discuss
them with us, like a human being talking to other human beings, using your
name and not a role account, and not using some external specification
document.  I think many of us get *way* more than we need of that sort of
thing in our day jobs, and in Debian we have the luxury of ignoring such
things completely.  :)

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>