Bug#792231: This needs examined as soon as possible
Unfortunately there are some significant challenges with 2.0+. The primary issue is the dependency on tlslite, which was removed from Debian previously due to being insecure and unmaintained. In addition, quite a bit of the certificate handling code does things incorrectly (see eg. the certificate chain verification code[1] that does not check the certificate purpose, allowing anyone with a valid cert to sign a fraudulent cert as if they were a CA). I would very much welcome help with these issues, but be warned there is most likely a fair amount of work involved in either rewriting the cert-handling code to use another library (probably python-openssl/python-cryptography), or resurrecting and maintaining the tlslite package. [1] https://github.com/spesmilo/electrum/blob/master/lib/paymentrequest.py#L119 On Mon, 3 Aug 2015 at 15:51 Thomas Ward tew...@dark-net.net wrote: 1.9.8 is a year old. In addition, 2.4 is the current version. Failing to update breaks recovery of wallets from newer versions, and there are quite a lot of improvements in 2.4 over 1.9.8 that should be reviewed and included. Thomas
Bug#792231: This needs examined as soon as possible
On 08/03/2015 10:41 AM, Tristan Seligmann wrote: Unfortunately there are some significant challenges with 2.0+. The primary issue is the dependency on tlslite, which was removed from Debian previously due to being insecure and unmaintained. In addition, quite a bit of the certificate handling code does things incorrectly (see eg. the certificate chain verification code[1] that does not check the certificate purpose, allowing anyone with a valid cert to sign a fraudulent cert as if they were a CA). I would very much welcome help with these issues, but be warned there is most likely a fair amount of work involved in either rewriting the cert-handling code to use another library (probably python-openssl/python-cryptography), or resurrecting and maintaining the tlslite package. [1] https://github.com/spesmilo/electrum/blob/master/lib/paymentrequest.py#L119 If that's the case, does it even remain feasible to keep this in Debian with a year-old version that has its own incompatibilities with future versions and its own problems? Based solely on what you've said (a dependency doesn't exist anymore, other handling codes being bad and thereby introducing a MITM problem, etc.), it *sounds* like it should be removed... Thomas -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#792231: This needs examined as soon as possible
1.9.8 is a year old. In addition, 2.4 is the current version. Failing to update breaks recovery of wallets from newer versions, and there are quite a lot of improvements in 2.4 over 1.9.8 that should be reviewed and included. Thomas -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
