Hi, On Thu, Nov 05, 2015 at 09:42:59AM +0100, Andrew Shadura wrote: > On 05/11/15 02:49, James McCoy wrote: > > Thanks for taking a look at this. > > > > On Mon, Nov 02, 2015 at 09:05:23PM +0000, Andrew Shadura wrote: > >> commit 6469c52e8b694622607478475e7cfc67f1ec6a95 > >> Author: Andrew Shadura <[email protected]> > >> Date: Mon Nov 2 21:21:02 2015 +0100 > >> > >> Add STARTTLS support without certificate validity verification. > > > Why isn't certificate validation being done? > > Because very often SMTP doesn't have a perfectly valid certificate, so > it makes no sense to validate them.
But do you have supporting rationale that this is an accepted way for security concious people? Please present references beyond what you believe. (As long as this is optional behavior enabled via user's special command line option, I do not mind. But making such loose behavior as the default one raises red flag.) > >> Use Net::SMTPS for both SMTP+SSL and SMTP+STARTTLS. > >> When not connecting over SSL, always use Net::SMTPS in hope > >> it does STARTTLS when it's detected. If Net::SMTPS isn't > >> available, fall back to plain old Net::SMTP. > >> > >> Replace libnet-smtp-ssl-perl dependency with libnet-smtps-perl > >> dependency promoted to Recommends from Suggests. > > > Why the change to Recommends? > > So that it's more likely it's installed and used. Then so many other programs needs to be moved to Recommends. ssh-client bsd-mailx | mailx, mutt, w3m, ... Seriously, can you make libnet-smtp-ssl-perl optional by not always requirig it. Look at how LWP is used in uscan. It outputs nice error message if it is used by one of the executable in the devscripts package. ... > >> - require Net::SMTP::SSL; > >> + require Net::SMTPS; > >> + use IO::Socket::SSL; > > > This should be a require, otherwise it will happen at compile time, not > > runtime. > > It doesn't work then, I can't use IO::Socket::SSL::* options if I use > require. Any ideas how to make it work? Does uscan LWP example help you? (I am not perl expert to know the answer.) Osamu _______________________________________________ devscripts-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
