Re: Midori for Squeeze

To: debian-release@lists.debian.org
Subject: Re: Midori for Squeeze
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Wed, 20 Oct 2010 22:28:02 +0200
Message-id: <[🔎] slrnibuk6i.290.jmm@inutil.org>
References: <[🔎] 20101017200841.GA9371@galadriel.inutil.org> <[🔎] 4CBBFC1E.7000605@debian.org> <[🔎] 20101018170345.GA2702@galadriel.inutil.org> <[🔎] 20101018133100.ec6f9a93.michael.s.gilbert@gmail.com>

On 2010-10-18, Michael Gilbert <michael.s.gilbert@gmail.com> wrote:
> On Mon, 18 Oct 2010 19:03:45 +0200, Moritz Muehlenhoff wrote:
>> In gmane.linux.debian.devel.release, you wrote:
>> > On 17/10/2010 22:08, Moritz Muehlenhoff wrote:
>> >> Hi Ryan/release team,
>> >> 
>> >> During my review of open security issues I noticed that the
>> >> version of Midori currently in Squeeze still has broken
>> >> HTTPS support. (#582213)
>> >
>> > This bug is only about packaging a new upstream release, maybe you were
>> > referring to #595813 ? Though afair midori in squeeze does support https
>> > (meaning, it can connect to an https website).
>> 
>> I'm referring to http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=19;bug=582213:
>> 
>> | it would be really nice to get 0.2.6 into squeeze. 0.2.5 introduced
>> | basic HTTPS certificate validation support, which is essential to do
>> | any serious HTTPS stuff which isn't only snakeoil security, like online
>> | banking. Previous midori releases supported HTTPS, but don't validate
>> | the server certificate against root certificates.
>> 
>> >> We shouldn't ship a browser with the state as-is. We could
>> >> either drop it or update to the version currently in sid?
>> >
>> > The version currently in sid is already outdated though (I've made some
>> > packaging for 0.2.8 but didn't upload yet, still not sure about taking
>> > over maintainership...)
>> >
>> > In any case, the https support by midori is working but not really
>> > satisfying. The browser can connect to https website, and in recent
>> > versions even change the url bar color, but that's all. There's no
>> > configuration support, no way to add an AC or a client certificate, no
>> > way to see the certificate a website is using.
>> >
>> > Some might think that makes the browser unusable and unsuitable for
>> > Squeeze, I'm not so sure. It's a shame the browser doesn't have a real
>> > https support, but it's still working and is a nice little browser. I
>> > don't think it should be installed by default but it's still useful in a
>> > stable release (imho).
>> 
>> WeÃ¶Ã¶ll, ie HTTPS support is so limited, it's unlikely to be used 
>> anyway, so we might just as well leave the current version in.
>
> Should the NEWS.Debian file state this to increase the likeliness of
> users being aware of the limitations?

Possibly, but I don't think it warrants a squeeze update on its own.

Cheers,
        Moritz

Reply to:

References:
- Midori for Squeeze
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Re: Midori for Squeeze
  - From: Yves-Alexis Perez <corsac@debian.org>
- Re: Midori for Squeeze
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Re: Midori for Squeeze
  - From: Michael Gilbert <michael.s.gilbert@gmail.com>

Prev by Date: Bug#600863: marked as done (unblock: kexec-tools/1:2.0.1-4)
Next by Date: Re: Security unblock requests
Previous by thread: Re: Midori for Squeeze
Next by thread: tiff-3.9.4-5: fixes RC Bug 600188
Index(es):
- Date
- Thread