Bug#720426: pu: package openssl/1.0.1e-2
On Thu, Jan 30, 2014 at 08:09:44PM +0000, Adam D. Barratt wrote:
> On Mon, 2013-09-23 at 09:05 +0200, Kurt Roeckx wrote:
> > On Mon, Sep 23, 2013 at 05:35:23AM +0200, Cyril Brulebois wrote:
> > > Kurt Roeckx <kurt@roeckx.be> (2013-08-21):
> > > > * Add Polish translation (Closes: #658162)
> > > > * Add Turkish translation (Closes: #660971)
> > > > * Enable assembler for the arm targets, and remove armeb.
> > > > Patch by Riku Voipio <riku.voipio@iki.fi> (Closes: #676533)
> > > > * enable ec_nistp_64_gcc_128 on *-amd64 (Closes: #698447)
> > >
> > > I'm sorry but I don't think wishlist bug reports qualify for stable
> > > uploads. As usual, we could use more consistency across documentation,
> > > but either devref[1] or p-u[2] pages give an overview of what can be
> > > considered.
> >
> > I actually consider the arm assembler and nistp curves to be
> > important, even if the bugs might only be filed at severity
> > level wishlist. The nistp curves are even security related
> > since they are then implemented with constant time removing
> > a side channel attack.
>
> I have to agree with Cyril here that the bug really shouldn't have such
> a low severity if it has genuine security impact.
If it makes you happy, I can mark the security related bugs
serious. I'm also of the opinion that the severity wishlist
doesn't say anything about the importance.
> The changes have obviously had significant testing in unstable and
> testing by now; have any further related changes been required? Have the
> changes had any testing in a stable environment?
There have no changes related to it. I'm also pretty sure that
people actually do use that in production.
Kurt
Reply to: