Hi Julien, hi Paul, On 03.05.2017 11:51, Julien Cristau wrote: > I don't see how not checking certificates is in any way a reasonable > thing to do. Silencing warnings about it makes it even worse.
Absolutely true - but: - This has been the behavior of the Nagstamon package since forever (which is not a valid argumentation point - I know, but it's still a fact) - It is actually the intended behavior by the upstream developer (until https://github.com/HenriWahl/Nagstamon/issues/302 gets resolved) - the added patch just actually makes the disabling of warnings work (which worked before in jessie but not anymore in stretch) - We anticipated the concerns regarding not checking certificates and wrote a paragraph in README.debian about our rationale for accepting that with regards to the primary type of user of such monitoring software On 03.05.2017 11:32, Paul Wise wrote: > I don't think the warnings should be disabled, > I think that the certificates should be verified. > Why are the warnings being disabled? Because upstream chose to do so - I want to stress again that my patch just fixes the code to actually do what upstream wanted it to do. Now whether these warnings are disabled or not isn't the real problem here - that should be clear. But it was because of these warnings (which, again, do not come from a change in behavior but just in reporting it), that Paul reported #861152 and tagged it as release critical which lead to the package being put in the removal queue... If you'd like, we can explicitly re-enable the warnings so the behavior is visible to the users. But I don't want to have nagstamon removed simply because of that... What do you think? Regards, -- Moritz Schlarb Unix-Gruppe | Systembetreuung Zentrum für Datenverarbeitung Johannes Gutenberg-Universität Mainz Raum 01-321 - Tel. +49 6131 39-29441 OpenPGP Fingerprint: DF01 2247 BFC6 5501 AFF2 8445 0C24 B841 C7DD BAAF
<<attachment: schlarbm.vcf>>
signature.asc
Description: OpenPGP digital signature