Bug#790324: marked as done (luakit: Improve security level, dubious features)

To: Santiago Vila <sanvila@debian.org>
Subject: Bug#790324: marked as done (luakit: Improve security level, dubious features)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Thu, 03 Sep 2015 22:24:16 +0000
Message-id: <[🔎] handler.790324.D790324.144131898125538.ackdone@bugs.debian.org>
References: <E1ZXcuI-00055X-B4@franck.debian.org> <20150628012734.23069.82729.reportbug@localhost>

Your message dated Thu, 03 Sep 2015 22:22:58 +0000
with message-id <E1ZXcuI-00055X-B4@franck.debian.org>
and subject line Bug#790324: fixed in luakit 2012.09.13-r1-7
has caused the Debian Bug report #790324,
regarding luakit: Improve security level, dubious features
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
790324: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=790324
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: luakit: Improve security level, dubious features
From: Philippe Grégoire <gregoirep@hotmail.com>
Date: Sat, 27 Jun 2015 21:27:34 -0400
Message-id: <20150628012734.23069.82729.reportbug@localhost>

Package: luakit
Version: 2012.09.13-r1-4
Severity: serious

Dear Maintainer,

Looking at globals.lua, I was considering that the low level of security was
due to the (somewhat) aged package. Now, looking at the changes applied by the
'ugh' patch, I see some of these artifacts are not provided upstream, but rather
by the maintainer. From what I understood from an earlier bug report, these
changes were made due to not reproducible builds. Now, before trying to enter
testing again, I think the following points should be considered.


Search engines

All search engines, except github, are specified using an unsecured connexion
although all the servers do. The 'ugh' patch _downgrades_ them, actually. I am
also wondering why was Netflix added, since, afaik, it doesn't work out of
the box.


x509 certificates

Although debatable, support for user-provided x509 certificates is risky.
Personally, I consider certificates installed system-wide (read: by root) much
more trustable. For one, and simply, they cannot be modified by a rogue process
ran by the user.

Regarding 'soup.ssl_strict = false', I don't think I need to explain.


Looking up /etc/hosts

I am pretty sure this is the job of /etc/nsswitch.conf


Thank you


-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 4.0.0-2-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages luakit depends on:
ii  libatk1.0-0                         2.16.0-2
ii  libc6                               2.19-18
ii  libcairo2                           1.14.2-2
ii  libfontconfig1                      2.11.0-6.3
ii  libfreetype6                        2.5.2-4
ii  libgdk-pixbuf2.0-0                  2.31.4-2
ii  libglib2.0-0                        2.44.1-1
ii  libgtk2.0-0                         2.24.28-1
ii  libjavascriptcoregtk-1.0-0          2.4.9-2
ii  liblua5.1-0                         5.1.5-7.1
ii  libpango-1.0-0                      1.36.8-3
ii  libpangocairo-1.0-0                 1.36.8-3
ii  libpangoft2-1.0-0                   1.36.8-3
ii  libsoup2.4-1                        2.50.0-2
ii  libsqlite3-0                        3.8.10.2-1
ii  libunique-1.0-0                     1.1.6-5
ii  libwebkitgtk-1.0-0                  2.4.9-2
ii  lua-filesystem [lua5.1-filesystem]  1.6.2-3

luakit recommends no packages.

luakit suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

To: 790324-close@bugs.debian.org
Subject: Bug#790324: fixed in luakit 2012.09.13-r1-7
From: Santiago Vila <sanvila@debian.org>
Date: Thu, 03 Sep 2015 22:22:58 +0000
Message-id: <E1ZXcuI-00055X-B4@franck.debian.org>

Source: luakit
Source-Version: 2012.09.13-r1-7

We believe that the bug you reported is fixed in the latest version of
luakit, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 790324@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Santiago Vila <sanvila@debian.org> (supplier of updated luakit package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 03 Sep 2015 23:35:48 +0200
Source: luakit
Binary: luakit
Architecture: source
Version: 2012.09.13-r1-7
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Santiago Vila <sanvila@debian.org>
Description:
 luakit     - fast and small web browser extensible by Lua
Closes: 790324
Changes:
 luakit (2012.09.13-r1-7) unstable; urgency=medium
 .
   * QA upload.
   * Change debian/patches/2012.09.13-r1-1.diff to use https on several
     search engines allowing it.
   * Add debian/patches/soup-ssl-strict-true.diff to not allow navigation
     on sites with invalid/expired ssl certificates. Closes: #790324.
Checksums-Sha1:
 9f8263e81f9407ce970da9ba556d1381382f9834 1581 luakit_2012.09.13-r1-7.dsc
 24412c58536feff472c5bdcdaa3b2e70dc00213c 6572 luakit_2012.09.13-r1-7.debian.tar.xz
Checksums-Sha256:
 4e487a34a5ed30d461d4c0dc84a59be3296816516fde47732bcfd3caa780dc98 1581 luakit_2012.09.13-r1-7.dsc
 71be05914aee74dc2530b7a544e91f9a7686ff88bcf512df26cbb8d2800139fc 6572 luakit_2012.09.13-r1-7.debian.tar.xz
Files:
 5043ec98d8d65a62c24f0a307c10cd14 1581 web optional luakit_2012.09.13-r1-7.dsc
 895896d487b6ab26fac96257abd42687 6572 web optional luakit_2012.09.13-r1-7.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJV6L2EAAoJEEHOfwufG4syFIwH/AiOC/umn93IDy9U5DpBhPrt
+ksUlppWDhqkxm8gfQbrghJmdpoIpxuLBK50/bt4izHaABD5m0mWcHPy5ndVAOkS
pt5UWAWsxCER55996yX0ncalJ4eqe6vc+20/ErQersn9PtDN+XpuKlnsrraBsBOg
etpyXH1NXFwA+DeW9BYCAXhNtgaHJdaGOln9FjPpyZSr0DACXgHBJ3DpcATkakam
dKfoiRhPi7ys38aZTmj4zjgQ4FpNxel9Ri2/uCat7lbxM49vEqcXhW53usr4gM5T
9qa3bxSLlTtWwEqO94kVz0zC7LtZAPhAopydxPHCDMdVoAKPlpOXPLbmJ/mJ1Pc=
=rIbe
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Processing of luakit_2012.09.13-r1-7_source.changes
Next by Date: luakit_2012.09.13-r1-7_source.changes ACCEPTED into unstable
Previous by thread: Processing of luakit_2012.09.13-r1-7_source.changes
Next by thread: luakit_2012.09.13-r1-7_source.changes ACCEPTED into unstable
Index(es):
- Date
- Thread