On Thu, Mar 11, 2010 at 08:28:49PM +0100, Florian Weimer wrote: > * Sam Bisbee: > > > On Thu, Mar 11, 2010 at 07:07:13AM +0100, Florian Weimer wrote: > >> * Sam Bisbee: > >> > >> > As the last communication for bug #570013 > >> > (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=570013) was on 2/19, I > >> > will > >> > be closing this bug on 3/19 unless there is any further information sent > >> > to it. > >> > >> Ahem, has the bug been fixed? > > > > Florian, as my e-mail detailed we have been waiting for more information on > > this ticket for about a month. > > Upstream has said that they are discussing it on their non-public > security mailing list. So I guess we have to wait for them to come up > with a solution.
As I detailed in my e-mail a month ago (Message #19 in the thread, which got mis-ordered by BTS) I know of no viable programmatic solution that we could employ. All of the suggested solutions that I know of are either flawed (ie., tokens) or are security through obscurity (which we don't want). In that e-mail I asked if you knew of any other solution, which I would be happy to consider. If you don't have any suggestions, and since this is really a flaw of client/server architectures (you can never trust the client) and not CouchDB or its Futon interface, I'll be closing this ticket with a wontfix tag. Of course, if a solution is found in the industry or upstream releases something, then I'll associate those changes with this ticket. Cheers, -- Sam Bisbee -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
