severity 736066 important
thanks

Dear Security Team,

FYI, as discussed in this bug report, I am lowering the severity of this
bug because of not considering this a general security problem. It's
only an issue in specific scenarios which are sufficiently explained
now.

Regards,
Eduard.

* Eduard Bloch [Thu, Sep 11 2014, 04:55:14PM]:
> Hallo,
> * Jan Niehusmann [Thu, Sep 11 2014, 12:12:08PM]:
> 
> > The bug report is about security issues, but these are not security
> > issues of the software (as in: you can somehow hack into the computer
> > wich is running the software), but of the encryption algorithms used.
> > 
> > So it can be compared to a package implementing md5: Yes, it's known
> > that md5 is not secure any more, but that's not a reason to remove all
> > packages implementing md5 from debian.
> ...
> > Therefore, I propose that encfs should be allowed into jessie.
> > 
> > (What would be the right way to do that? Lower the severtiy of the bug?
> > Add a jessie-ignore tag?)
> > 
> > To notify users about the potential security issue, a NEWS file could
> > be added, or one could add a warning to the output of the encfs command.
> 
> In fact, that is what I considered as workaround, and even harder: add a
> debconf message with priority critical telling exactly those details.
> 
> Unless someone cries out loudly I will continue with this plan in a
> couple of days.
> 
> Regards,
> Eduard.
> 
> 


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to