Package: encfs
Version: 1.9.5-2
Severity: normal
Dear Maintainer,
I'm sure you are aware of the "security problems" of EncFS. The information are
not clear to me but to my knowledge there was an security audition some years
ago and the upstream maintainer refused to invest more ressource into the
project and suggest to migrate to gocryptfs.
There is a bug ticket at upstream summarizing some of the information
https://github.com/vgough/encfs/issues/314
As member of upstream maintenance team for "Back In Time"
(https://github.com/bit-team/backintime) currently depending on EncFS, I try to
find out how to deal with the problem. I also try to find out how big the
problem really is.
Debian seems to keep EncFS. That indicates to me that the problem can not be so
big.
As upstream maintainer of Back In Time I'm unsure how to evaluate the
situation. We do think about to remove EncFS because of the security issues.
How do you evaluate the situation?
Kind
Christian Buhtz
-- System Information:
Debian Release: 12.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: arm64 (aarch64)
Kernel: Linux 6.1.0-12-arm64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_CRAP, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages encfs depends on:
ii debconf [debconf-2.0] 1.5.82
ii fuse3 [fuse] 3.14.0-4
ii libc6 2.36-9+deb12u3
ii libfuse2 2.9.9-6+b1
ii libgcc-s1 12.2.0-14
ii libssl3 3.0.9-1
ii libstdc++6 12.2.0-14
pn libtinyxml2-9 <none>
ii mount 2.38.1-5+b1
encfs recommends no packages.
encfs suggests no packages.
