severity 736066 important thanks Dear Security Team,
FYI, as discussed in this bug report, I am lowering the severity of this bug because of not considering this a general security problem. It's only an issue in specific scenarios which are sufficiently explained now. Regards, Eduard. * Eduard Bloch [Thu, Sep 11 2014, 04:55:14PM]: > Hallo, > * Jan Niehusmann [Thu, Sep 11 2014, 12:12:08PM]: > > > The bug report is about security issues, but these are not security > > issues of the software (as in: you can somehow hack into the computer > > wich is running the software), but of the encryption algorithms used. > > > > So it can be compared to a package implementing md5: Yes, it's known > > that md5 is not secure any more, but that's not a reason to remove all > > packages implementing md5 from debian. > ... > > Therefore, I propose that encfs should be allowed into jessie. > > > > (What would be the right way to do that? Lower the severtiy of the bug? > > Add a jessie-ignore tag?) > > > > To notify users about the potential security issue, a NEWS file could > > be added, or one could add a warning to the output of the encfs command. > > In fact, that is what I considered as workaround, and even harder: add a > debconf message with priority critical telling exactly those details. > > Unless someone cries out loudly I will continue with this plan in a > couple of days. > > Regards, > Eduard. > > -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
