On mar. 01 avril 2014 à 07:57:15, Klaus Ethgen wrote: > Pierre-Elliott Bécue wrote: > >> The bug is security relevant, it breaks full systems and it renders > >> ca-certificate complete useless for most of the people. So it _is_ > >> critical! > > > >In my opinion, something is security relevant when the security is > >compromised any way by this thing. Removing the CACert certificate definitly > >breaks user space, and it exposes some security problems that existed > >before, but this is not obvious that the system's security is broken by the > >update: > > Well, Yes and now. Yes from a technical point of view. Even from this > point of view the security is higher with _every_ removed certificate. > But including the user behaviour to not care about checking the > certificate of an unknown CA, this lower the overall security.
The user behavior is, by design, not a security concern, as it's impossible to prevent a user to override security features. Especially on an OS like Debian. The matter of security is proved only if you mislead the user in the software, which is not the case. I admit one can say I'm playing on concepts, but the truth is this update causes bad behavior, not security breach. > > >> - mutt: Asking to prove a certificate that a normal user cannot know how > > > > * The security flaw seems to be in the user behavior, looks the same with a > > self signed certificate. The point is, without any warning, something > > which was working is now broken, and many users will probably just say > > "trust" without further investigation. (but are mutt users "normal" users?) > > I just gave the examples I use on a daily base. For normal users there > are similar programs. However, I saw also mutt users that just gave a > fuck about the fingerprint they are provided with and just accepted it. And, Debian cannot be blamed for this kind of decision a user makes. > >> - wget; you have to trust every certificate there without exception if > >> there is no root certificate available. > > > > * That is, in my opinion, also a user behavior problem. > > No, it's a wget problem that you can only specify to not check any > certificate or check any (--no-check-certificate). There is no way to > only skip this particular certificate from one side. You can add the mentioned certificate to the list manually, and it will work again. Adding --no-check-certificate is in my opinion a (bad) user choice to avoid a misunderstanded problem. > > But the fact is when you ran some (dist-)?upgrade, there were some > > listchange you could (should have) read, and when you see that CACert's > > certificate is removed, you are kinda warned. > > Yes, _I_ got warned and _I_ was able to downgrade to a working > ca-certificates package. But unfortunately I am not a normal user. Personnally, I added manually the certificate at the right place. And I don't see me as a competent Debian user. > A normal user does not see or even read all the changelogs from an update > than just do it. And this is an 8th OSI's layer problem. We should try to find a solution to avoid this problem, but I think this problem is just revealed by the CACert removal, not caused by. > > But, arguing on the bug severity (between important/critical) > > I accepted the downgrade to important. You didn't initially. > I was just pissed of by downgrading it to wishlist. That is not a proper > solution for such a important bug that is relevant for many if not all > debian users. I'm not convinced that tagging with "wontfix" and setting buglevel at "wishlist" was a good and well thinked solution. Anyway, your reaction was too violent. > > with the package maintainers seems irrelevant if you wish to find a > > (relevant) solution. > > And exactly that is the problem. But I will not go further into this. I hope so. > > Arguing on the "stupidity" of the initial decision will probably > > just push maintainers to ignore your request. > > Sorry not being able to be diplomatic. I just tell the truth or what I > am thinking. I personally don't like false friendliness. Being respectful and polite is not false friendliness, it's just a base in social conversation. In order to reach people agreement and mind, it's kind of necessary, and, actually, it's rewarding to think that I'm speaking with a lot of friendliness at people I don't know. Because basically, unless somebody does something I accept as wrong, I think he deserves to be treated as a friend. > > I frankly agree with Thomas Koch about creating some specific packages for > > non trusted CA. > > Would be a possible solution, yes. But this does not change the fact > that ca-certificates without cacert is somewhat useless. Dear, there is many CA, not just CACert. Sincerely (and friendly) yours, -- Pierre-Elliott Bécue -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
