Hallo, * Eduard Bloch [Thu, Sep 11 2014, 04:55:14PM]: > > (What would be the right way to do that? Lower the severtiy of the bug? > > Add a jessie-ignore tag?) > > > > To notify users about the potential security issue, a NEWS file could > > be added, or one could add a warning to the output of the encfs command. > > In fact, that is what I considered as workaround, and even harder: add a > debconf message with priority critical telling exactly those details. > > Unless someone cries out loudly I will continue with this plan in a > couple of days.
So, here is what I came up with. Does it sound scarry enough, does it sound generally acceptable? Template: encfs/security-information Type: note _Description: Encfs Security Information According to a security audit by Taylor Hornby (Defuse Security), the current implementation of Encfs is vulnerable or potentially vulnerable to multiple attacks on the encrypted data. This especially affects use cases where the attacker has read/write access to the encrypted directory or has enough knowledge of the unencrypted file system contents. . In the current situation encfs should not be considered a safe home for sensible data. This package should be only used to retrieve information from previously encrypted sources, and even this action contains some risk of receiving compromised data. Regards, Eduard. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
