Good evening, Somebody is wrong on the Internet! (irony inside)
Le lundi 31 mars 2014 à 08:16:59 (+0100), Klaus Ethgen <kl...@ethgen.de> a écrit: > The bug is security relevant, it breaks full systems and it renders > ca-certificate complete useless for most of the people. So it _is_ critical! In my opinion, something is security relevant when the security is compromised any way by this thing. Removing the CACert certificate definitly breaks user space, and it exposes some security problems that existed before, but this is not obvious that the system's security is broken by the update: > - mutt: Asking to prove a certificate that a normal user cannot know how * The security flaw seems to be in the user behavior, looks the same with a self signed certificate. The point is, without any warning, something which was working is now broken, and many users will probably just say "trust" without further investigation. (but are mutt users "normal" users?) > - ldap: Doesn't connect anymore with no hint in the error message (In > fact, the error message stuff is a ldap problem but it is triggered by > a certificate that was removed but was there before.) * Pointing one of the biggests OpenLDAP flaws as a consequence of CACert certificate removal is great, but not a good deduction, especially when you seem to mean that it's a normal user behavior to make a dist-upgrade without reading listchanges and thinking twice. I admit I could have misinterpreted your point. > - Net::LDAP from Perl (The same) * Same. > - wget; you have to trust every certificate there without exception if > there is no root certificate available. * That is, in my opinion, also a user behavior problem. Basically, I agree with you, simply removing CACert certificate without providing any relevant way to workaround quickly (for a basic user), and without providing any big warning (with LEDs, nude girls, and some kind of tequila) wasn't that good. But the fact is when you ran some (dist-)?upgrade, there were some listchange you could (should have) read, and when you see that CACert's certificate is removed, you are kinda warned. You can discuss wether this warning is sufficient or not, since the user space is really broken, and that normal user will do some stupid things. You can also discuss wether the community should provide some "official" workaround to avoid basic user misbehavior, or not. But, arguing on the bug severity (between important/critical) with the package maintainers seems irrelevant if you wish to find a (relevant) solution. Arguing on the "stupidity" of the initial decision will probably just push maintainers to ignore your request. I frankly agree with Thomas Koch about creating some specific packages for non trusted CA. Regards, -- Pierre-Elliott Bécue And now I'll go to sleep \o/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
