Package: encfs Version: 1.9.5-2 Severity: normal Dear Maintainer,
I'm sure you are aware of the "security problems" of EncFS. The information are not clear to me but to my knowledge there was an security audition some years ago and the upstream maintainer refused to invest more ressource into the project and suggest to migrate to gocryptfs. There is a bug ticket at upstream summarizing some of the information https://github.com/vgough/encfs/issues/314 As member of upstream maintenance team for "Back In Time" (https://github.com/bit-team/backintime) currently depending on EncFS, I try to find out how to deal with the problem. I also try to find out how big the problem really is. Debian seems to keep EncFS. That indicates to me that the problem can not be so big. As upstream maintainer of Back In Time I'm unsure how to evaluate the situation. We do think about to remove EncFS because of the security issues. How do you evaluate the situation? Kind Christian Buhtz -- System Information: Debian Release: 12.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: arm64 (aarch64) Kernel: Linux 6.1.0-12-arm64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_CRAP, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages encfs depends on: ii debconf [debconf-2.0] 1.5.82 ii fuse3 [fuse] 3.14.0-4 ii libc6 2.36-9+deb12u3 ii libfuse2 2.9.9-6+b1 ii libgcc-s1 12.2.0-14 ii libssl3 3.0.9-1 ii libstdc++6 12.2.0-14 pn libtinyxml2-9 <none> ii mount 2.38.1-5+b1 encfs recommends no packages. encfs suggests no packages.