On Wed, 6 Mar 2019 04:11:41 +0100 Matija Nalis <mnalis-debian...@voyager.hr> wrote:
... > "Severity: important" would indicate that package is just one small > step away from "rendering it completely unusable to everyone", which According to the documentation, "important" denotes: "a bug which has a major effect on the usability of a package, without rendering it completely unusable to everyone." I would say that that misleading the user about certificate verification should be considered "a major effect on the usability of [the] package", but I think we've beat this horse to death, so I defer to your judgment. > looks too harsh to me in this case (as in many cases ssmtp is used > only for non-TLS plaintext SMTP delivery on LAN from satellite > machines to main MTA, which would then speak TLS to outside world > etc.) > > "Severity: wishlist" however (as opposed to "normal") subtly > indicates that there is some functionality that is *missing*, and > that someone needs to think it over and write it, and that it might > be a more complicated task and probably not an one-line-fix (and thus > it would probably left to upstream to fix it, as Debian maintainer in > most cases won't be fixing it h[im/er]self unless upstream is dead > and someone else provides a verified good patch). It also indicates > it might be due to design decisions, like here. > > I do agree completely with you that package should strongly indicate > in its docs and description about it's TLS deficiencies. If someone > would write such a documentation patch, perhaps it might have a > chance to be included. I'll try to write something and submit it here. > [ As a side note, even with certificate checking in place there are a > lot of problems in todays "zillion untrusted CAs which we trust > anyway" security model, and even more so if you move from web > world (where clients try to be secure, and even people might > sometimes check basic credentials) to unattended MTA world where > almost nobody does, and vast majority of MTAs will simply by > default silently downgrade to plaintext if they think anything > might be problematic with TLS support etc. ] Celejar