Your message dated Wed, 29 Apr 2020 23:03:57 +0000
with message-id <[email protected]>
and subject line Bug#954042: fixed in inxi 3.1.00-1-1
has caused the Debian Bug report #954042,
regarding inxi: Please verify server identity via SSL
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
954042: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954042
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: inxi
Severity: important
Dear maintainer,
Your package uses the Perl module HTTP::Tiny but does not set the
verify_SSL attribute to a true value.
By default, that module does not validate the identity of server
certificates. The documentation states that "Server identity
verification is controversial and potentially tricky..." [1]
As late as 2015, upstream has been doubling up: "we're not going to be
responsible for the user's trust model" [2]
I believe, on the other hand, that the encryption of a transmission
has no value when talking to the wrong person. You can easily see the
useless and dangerous default by running the script at the end of this
message.
Will you please turn on the verify_SSL attribute in HTTP::Tiny?
Kind regards
Felix Lechner
[1] https://metacpan.org/pod/HTTP::Tiny#SSL-SUPPORT
[2] https://github.com/chansen/p5-http-tiny/issues/68
* * *
#!/usr/bin/perl
use HTTP::Tiny;
my $response = HTTP::Tiny->new->get('https://self-signed.badssl.com/');
die "Failed!\n"
unless $response->{success};
print "$response->{status} $response->{reason}\n";
while (my ($k, $v) = each %{$response->{headers}}) {
for (ref $v eq 'ARRAY' ? @$v : $v) {
print "$k: $_\n";
}
}
print $response->{content}
if length $response->{content};
--- End Message ---
--- Begin Message ---
Source: inxi
Source-Version: 3.1.00-1-1
Done: Unit 193 <[email protected]>
We believe that the bug you reported is fixed in the latest version of
inxi, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Unit 193 <[email protected]> (supplier of updated inxi package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384
Format: 1.8
Date: Wed, 29 Apr 2020 18:15:37 -0400
Source: inxi
Architecture: source
Version: 3.1.00-1-1
Distribution: unstable
Urgency: medium
Maintainer: Unit 193 <[email protected]>
Changed-By: Unit 193 <[email protected]>
Closes: 954042
Changes:
inxi (3.1.00-1-1) unstable; urgency=medium
.
* New upstream version 3.1.00-1
- Verify TLS certificates. (Closes: #954042)
* d/compat, d/control:
- Drop d/compat in favor of debhelper-compat, bump to 13.
* d/control, d/copyright: Update email address.
Checksums-Sha1:
9836071251342223ef802ab0414e72181a852de7 1879 inxi_3.1.00-1-1.dsc
f3dcb1d2c4775280e725569d4b5d2af90e43ae41 331250 inxi_3.1.00-1.orig.tar.gz
71eccbc026c6633413b64c4e6219fc96083ca86d 4912 inxi_3.1.00-1-1.debian.tar.xz
a5b439a3e591b7a78bc777453bc1058ec4ca3402 5449 inxi_3.1.00-1-1_amd64.buildinfo
Checksums-Sha256:
f8f2ec5c3f0c1326d8f51c8d77aa006b16958fc0f04f5b18ee1aeeee75fd83d4 1879
inxi_3.1.00-1-1.dsc
ee6675489467cbfb90756db9aaf55da4bc5f7506cc8166d3a42ba28963e810f1 331250
inxi_3.1.00-1.orig.tar.gz
118775c94f85e33147e85b5e30db1612c56e95e1388a6396d6c08bb0abf008a7 4912
inxi_3.1.00-1-1.debian.tar.xz
fad25e28dddc395c75536cc616015e1d0af59932e490577609af9c13c241c68b 5449
inxi_3.1.00-1-1_amd64.buildinfo
Files:
7b4b39c6ec57b682acb4b6fa4866e50c 1879 misc optional inxi_3.1.00-1-1.dsc
77549e419ea9f6562ba63b060a8ce9ac 331250 misc optional inxi_3.1.00-1.orig.tar.gz
d97dd176416baa50d9eb87bf49fd51ce 4912 misc optional
inxi_3.1.00-1-1.debian.tar.xz
0de10609d83a25a8ab691897e5664285 5449 misc optional
inxi_3.1.00-1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCQAdFiEEjbPlhoZdK0orGFpcUAHhsJqjdEsFAl6p/scACgkQUAHhsJqj
dEtvJhAA1My+zio9l+/vZjJNRzXzEcQyKGu0JgZTfkcPQgl9tIj80aAXj2drZDFk
XaVtmA0S9MDE2d8/lJEB+4k9+9NVqjcD/NKF407V9lX+bRrQRxdGv+8lLsr1hAQz
1MdFnpO3tUrtsgcPzxrvIpE5khgqjNy1BwrntlupafGKTWdSH/cY7Q6Fym/KiIxM
kaANyvt41z47zqEBiNIPJPWL6i136r6S0wIXqw6mU2TMvsN7Un5xEd6QZtaHwuiR
VJ0ZUA/wroW5Jqb06cBFZa3fTIFGbhnVJInwlU8OCW6j/d1mbcGozICiCZG2csnV
xNIbTjpsZ5NlIYe8Y3rX344iQN82xd/jAr1kGhAvkFHHSsebK3m/iW/k3riHmWyv
2wLyNPhPoknsZLO1YuepEn9rBNBSwVSJsJSmDU9ms2ssYuNpxVQbAndew4X82rIo
jNfNgnnclF7SCy9+t8a904xtzYAhrxkoK83JY8MHJgJ3Tw6cDeUJiZDZmzO2s08A
qqKN0D/bzUYrHEMKipo5pF5GV359jGRnKZCHD5rCMp4JBf+0TTKrm0XYdNAegFta
UGy7NrjbS2do1N5tjW9NnB5w7+8b5CtTMP0kh8SCBr2bEurXfgGVqkqjuclvFCUA
6c6ixPF5M0nLGhk/DdUc20YWu45SnmQ5jhwszi7Iq0Io/RUmI/Q=
=jnzL
-----END PGP SIGNATURE-----
--- End Message ---
