Sorry, I haven't noticed that you have cc'd mailing lists. Please find below my first response to Arnaud.
You surely knows about the gnus usage of this, since you CC'd the mailing list, sorry. So my option is that a disclaimer should be placed, but SSL with SSL_VERIFY_NONE is MUCH, MUCH, MUCH better than not using SSL at all. And the joke is SSL's security model - where you are considered secure if you pay $500/year -, not starttls. -=- my original response here: -=- severity 499774 wishlist thanks Dear Arno, Thanks for your suggestions and reasoning. Probably you haven't noticed that starttls is mainly an integration utility for mainly GNU/Emacs. And yeah, it is also good for testing StartTLS based services as a system administrator. I'm against the removal, since it will break imaps/pop3s connections from emacs based muas (I'm at least sure in gnus, I use it hourly). And I'm also against the removal, because this is a very good tool for testing. You are right, it's package description should be changed and a disclaimer should be placed. Probably an 'are you sure?' question shouldn't be implemented (or if implemented, it shouldn't be the default), because it would block integrations like with emacs. As this is a documentation or a new feature request issue, I changed severity to wishlist. Thanks again for your contribution to Debian, if you write the disclaimer in a few world that should be appended to the package description in your opinion, it would be a big help. Gergely On Mon, 22 Sep 2008 10:52:06 +0200, [EMAIL PROTECTED] (Arnaud Ebalard) writes: > Package: starttls > Version: 0.10-3 > Severity: critical > > starttls package should IMHO be removed from Debian repositories, as it > looks like a security joke: > > - it does not allow passing trust anchors to be used to verify the > remote peer: are users expected to see the issue by themselves and not > use it? > - usage advertises a --verify option to set the verificaion level (no > details on accepted values): in all cases, it is not considered in the > code and SSL_VERIFY_NONE is used instead. > - The man page does not describe the options the program accept and does > not warn the user about the lack of checks. > > AFAICT, starttls provides a good example of how OpenSSL API should *not* > be used! Its use should only be limited to testing purposes and a *huge* > disclaimer on its limitations should be put somewhere. > > Comments welcome. > > Cheers, > > a+ > > ps: [EMAIL PROTECTED] is in CC, because previous list of issues is > still valid against CVS version of starttls. > pps: Gnus ML is in CC as some people might be using it (for years?). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
