On Mon, Jun 1, 2020 at 1:29 AM Axel Beckert <a...@debian.org> wrote:
> > You will need to workaround this. As such this motivates critical me
> think.
>
> I think "grave" is severe enough, as it "only" breaks HTTPS including
> apt with HTTPS-based mirrors (as the one mentioned above) and hence
> only "unrelated software/packages", not the whole system (like the
> kernel or the bootloader would do if the system won't boot anymore
> after an upgrade).
>
ok.
I read the description about unrelated software a bit differently indeed.
("makes unrelated software on the system (or the whole system) break, or
causes serious data loss, or introduces a security hole on systems where
you install the package.")
> > just doing a straight up curl will hang until timeout. With the expired
> > cert disabled this is bypassaed (without curl -k).
>
> Nope. curl exits immediately for me, at least in unstable (7.68.0-1):
>
Indeed. Sorry, me being inaccurate. I was testing this on old stable.
As you noted later on as well =)
Ack, stretch is affected, too, at least with lynx and — funnily again
> — curl (7.52.1-5+deb9u10).
>
Thanks for digging further into this issue.
