Your message dated Tue, 29 Jun 2010 20:15:04 +0300
with message-id <[email protected]>
and subject line starttls removed from Debian
has caused the Debian Bug report #499774,
regarding starttls: does not support trust anchors nor verification level
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
499774: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499774
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: starttls
Version: 0.10-3
Severity: critical
starttls package should IMHO be removed from Debian repositories, as it
looks like a security joke:
- it does not allow passing trust anchors to be used to verify the
remote peer: are users expected to see the issue by themselves and not
use it?
- usage advertises a --verify option to set the verificaion level (no
details on accepted values): in all cases, it is not considered in the
code and SSL_VERIFY_NONE is used instead.
- The man page does not describe the options the program accept and does
not warn the user about the lack of checks.
AFAICT, starttls provides a good example of how OpenSSL API should *not*
be used! Its use should only be limited to testing purposes and a *huge*
disclaimer on its limitations should be put somewhere.
Comments welcome.
Cheers,
a+
ps: [email protected] is in CC, because previous list of issues is
still valid against CVS version of starttls.
pps: Gnus ML is in CC as some people might be using it (for years?).
--- End Message ---
--- Begin Message ---
Version: 0.10-3+rm
Starttls has been removed from Debian, please see:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=587264
Therefore I close these bugs now.
Thanks,
Gergely
--- End Message ---
