Package: bzr Version: 2.0.2-1 Severity: important (This seems very much like a security bug to me, but I've just filed it as "important" for now for triage purposes.)
According to the description of bzr: Install python-paramiko if you are going to push branches to remote hosts with sftp, and python-pycurl if you'd like for SSL certificates always to be verified. While bzr Recommends python-paramiko (assuming, sensibly, that most people using bzr probably want to push as well as pull), it only Suggests python-pycurl. bzr should *not* ignore SSL certificate validation errors by default. Given the importance of SSL certificate validation, bzr should at least have a Recommends for python-pycurl, if not a full Depends. - Josh Triplett -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.31-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages bzr depends on: ii libc6 2.10.2-2 GNU C Library: Shared libraries ii python 2.5.4-2 An interactive high-level object-o ii python-celementtree 1.0.5-10 Light-weight toolkit for XML proce ii python-central 0.6.13 register and build utility for Pyt ii zlib1g 1:1.2.3.3.dfsg-15 compression library - runtime Versions of packages bzr recommends: pn bzrtools <none> (no description available) ii ca-certificates 20090814 Common CA certificates pn python-paramiko <none> (no description available) Versions of packages bzr suggests: pn bzr-gtk <none> (no description available) pn bzr-svn <none> (no description available) pn python-kerberos <none> (no description available) pn python-pycurl <none> (no description available) ii xdg-utils 1.0.2-6.1 desktop integration utilities from -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
