Re: Is 603450 realy release critical?

To: debian-release@lists.debian.org
Cc: 603450@bugs.debian.org
Subject: Re: Is 603450 realy release critical?
From: Bastian Blank <waldi@debian.org>
Date: Wed, 8 Dec 2010 10:37:24 +0100
Message-id: <[🔎] 20101208093723.GA30665@wavehammer.waldi.eu.org>
Mail-followup-to: debian-release@lists.debian.org, 603450@bugs.debian.org
In-reply-to: <[🔎] 20101208074530.GB30959@melusine.alphascorpii.net>
References: <[🔎] 20101208074530.GB30959@melusine.alphascorpii.net>

On Wed, Dec 08, 2010 at 08:45:30AM +0100, Alexander Reichle-Schmehl wrote:
> #603450 is a bug (currently with severity grave, Justification: user
> security hole), as offlineimap does no ssl certificate checking.

Could you explain why it should be acceptable to announce secure
operation but ignore the very basic principles of it? #564690 is an old
example of the same problem.

> There's patch floating arround, which has a major regression: It doesn't
> work for users of self signed certificates.

>From what I've seen in the bug, even you should be able to fix that.

Bastian

-- 
... bacteriological warfare ... hard to believe we were once foolish
enough to play around with that.
		-- McCoy, "The Omega Glory", stardate unknown

Reply to:

Follow-Ups:
- Re: Is 603450 realy release critical?
  - From: Alexander Reichle-Schmehl <tolimar@debian.org>
- Re: Is 603450 realy release critical?
  - From: Carsten Hey <carsten@debian.org>

References:
- Is 603450 realy release critical?
  - From: Alexander Reichle-Schmehl <tolimar@debian.org>

Prev by Date: Re: Bug#596899: Please unblock ia32-libs/20101012
Next by Date: Re: Your last phamm upload in Debian unstable
Previous by thread: Is 603450 realy release critical?
Next by thread: Re: Is 603450 realy release critical?
Index(es):
- Date
- Thread