Re: Midori for Squeeze

To: debian-release@lists.debian.org
Subject: Re: Midori for Squeeze
From: Michael Gilbert <michael.s.gilbert@gmail.com>
Date: Mon, 18 Oct 2010 13:31:00 -0400
Message-id: <[🔎] 20101018133100.ec6f9a93.michael.s.gilbert@gmail.com>
In-reply-to: <[🔎] 20101018170345.GA2702@galadriel.inutil.org>
References: <[🔎] 20101017200841.GA9371@galadriel.inutil.org> <[🔎] 4CBBFC1E.7000605@debian.org> <[🔎] 20101018170345.GA2702@galadriel.inutil.org>

On Mon, 18 Oct 2010 19:03:45 +0200, Moritz Muehlenhoff wrote:
> In gmane.linux.debian.devel.release, you wrote:
> > On 17/10/2010 22:08, Moritz Muehlenhoff wrote:
> >> Hi Ryan/release team,
> >> 
> >> During my review of open security issues I noticed that the
> >> version of Midori currently in Squeeze still has broken
> >> HTTPS support. (#582213)
> >
> > This bug is only about packaging a new upstream release, maybe you were
> > referring to #595813 ? Though afair midori in squeeze does support https
> > (meaning, it can connect to an https website).
> 
> I'm referring to http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=19;bug=582213:
> 
> | it would be really nice to get 0.2.6 into squeeze. 0.2.5 introduced
> | basic HTTPS certificate validation support, which is essential to do
> | any serious HTTPS stuff which isn't only snakeoil security, like online
> | banking. Previous midori releases supported HTTPS, but don't validate
> | the server certificate against root certificates.
> 
> >> We shouldn't ship a browser with the state as-is. We could
> >> either drop it or update to the version currently in sid?
> >
> > The version currently in sid is already outdated though (I've made some
> > packaging for 0.2.8 but didn't upload yet, still not sure about taking
> > over maintainership...)
> >
> > In any case, the https support by midori is working but not really
> > satisfying. The browser can connect to https website, and in recent
> > versions even change the url bar color, but that's all. There's no
> > configuration support, no way to add an AC or a client certificate, no
> > way to see the certificate a website is using.
> >
> > Some might think that makes the browser unusable and unsuitable for
> > Squeeze, I'm not so sure. It's a shame the browser doesn't have a real
> > https support, but it's still working and is a nice little browser. I
> > don't think it should be installed by default but it's still useful in a
> > stable release (imho).
> 
> WeÃ¶Ã¶ll, ie HTTPS support is so limited, it's unlikely to be used 
> anyway, so we might just as well leave the current version in.

Should the NEWS.Debian file state this to increase the likeliness of
users being aware of the limitations?

Mike

Reply to:

Follow-Ups:
- Re: Midori for Squeeze
  - From: Moritz Muehlenhoff <jmm@inutil.org>

References:
- Midori for Squeeze
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Re: Midori for Squeeze
  - From: Yves-Alexis Perez <corsac@debian.org>
- Re: Midori for Squeeze
  - From: Moritz Muehlenhoff <jmm@inutil.org>

Prev by Date: Re: Midori for Squeeze
Next by Date: Bug#600620: unblock: python-defaults/2.6.6-3+squeeze1
Previous by thread: Re: Midori for Squeeze
Next by thread: Re: Midori for Squeeze
Index(es):
- Date
- Thread