On Sat, Mar 26, 2022 at 05:38:21PM +0100, Jonas Smedegaard wrote:
> Quoting Elliott Mitchell (2022-03-26 16:35:53)
> > Has been reported upstream:
> > https://github.com/Kozea/Radicale/issues/1183
> > 
> > Upstream has been completely unresponsive.  No fix is available.
> 
> Thanks for reporting this upstream where it belongs.
> 
> For the Debian packaging of Radicale the recommended use is to *not* 
> handle TLS directly but let another frontend web service handle that. 
> Upstream calls this approach "Reverse Proxy": 
> https://radicale.org/v3.html#reverse-proxy

"Recommended" means other configurations should function.  Notably
the documentation suggests running as a daemon is in theory
supported: https://radicale.org/v3.html#running-as-a-service

Reverse-proxy is also a specialized configuration not appropriate for
all situations.  For the setup I've got adding Apache or ngnix would
more than double the size of the installation.  This would also add
Apache or ngnix's security vulnerabilities to this setup (they've been
pretty good, but that is not perfect).

> Lowering severity accordingly.

important:
"a bug which has a major effect on the usability of a package, without
rendering it completely unusable to everyone."

Broken seems the definition on major effect on usability.  In fact I
believe "grave" is appropriate for this issue.

I don't know the frequencies of the various types of configuration.  I
have a suspicion standalone daemon is a very common configuration and
most users are unaware they're relying on the security of WPA2.


> > With no fix available this renders the Radicale package useless unless 
> > one wishes to run in with an insecure configuration (disable TLS/SSL).
> 
> No.  Radicale is certainly not useless.

Okay, that is true.  It is simply broken for the type of setup I've got
and no assistance has been forthcoming from upstream.

My hope was your channels as a package maintainer might be able to place
more pressure on upstream to address a grave bug.


-- 
(\___(\___(\______          --=> 8-) EHM <=--          ______/)___/)___/)
 \BS (    |         [email protected]  PGP 87145445         |    )   /
  \_CS\   |  _____  -O #include <stddisclaimer.h> O-   _____  |   /  _/
8A19\___\_|_/58D2 7E3D DDF4 7BA6 <-PGP-> 41D1 B375 37D0 8714\_|_/___/5445

Reply via email to