Hi Philippe, I'm the upstream.
What is this 'ugh' patch? The other points you raise are valid. I'll look into them when I get some time this week. Thanks. On 27 June 2015 at 21:27, Philippe Grégoire <gregoi...@hotmail.com> wrote: > Package: luakit > Version: 2012.09.13-r1-4 > Severity: serious > > Dear Maintainer, > > Looking at globals.lua, I was considering that the low level of security > was > due to the (somewhat) aged package. Now, looking at the changes applied by > the > 'ugh' patch, I see some of these artifacts are not provided upstream, but > rather > by the maintainer. From what I understood from an earlier bug report, these > changes were made due to not reproducible builds. Now, before trying to > enter > testing again, I think the following points should be considered. > > > Search engines > > All search engines, except github, are specified using an unsecured > connexion > although all the servers do. The 'ugh' patch _downgrades_ them, actually. > I am > also wondering why was Netflix added, since, afaik, it doesn't work out of > the box. > > > x509 certificates > > Although debatable, support for user-provided x509 certificates is risky. > Personally, I consider certificates installed system-wide (read: by root) > much > more trustable. For one, and simply, they cannot be modified by a rogue > process > ran by the user. > > Regarding 'soup.ssl_strict = false', I don't think I need to explain. > > > Looking up /etc/hosts > > I am pretty sure this is the job of /etc/nsswitch.conf > > > Thank you > > > -- System Information: > Debian Release: stretch/sid > APT prefers unstable > APT policy: (500, 'unstable') > Architecture: i386 (i686) > > Kernel: Linux 4.0.0-2-686-pae (SMP w/2 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: sysvinit (via /sbin/init) > > Versions of packages luakit depends on: > ii libatk1.0-0 2.16.0-2 > ii libc6 2.19-18 > ii libcairo2 1.14.2-2 > ii libfontconfig1 2.11.0-6.3 > ii libfreetype6 2.5.2-4 > ii libgdk-pixbuf2.0-0 2.31.4-2 > ii libglib2.0-0 2.44.1-1 > ii libgtk2.0-0 2.24.28-1 > ii libjavascriptcoregtk-1.0-0 2.4.9-2 > ii liblua5.1-0 5.1.5-7.1 > ii libpango-1.0-0 1.36.8-3 > ii libpangocairo-1.0-0 1.36.8-3 > ii libpangoft2-1.0-0 1.36.8-3 > ii libsoup2.4-1 2.50.0-2 > ii libsqlite3-0 3.8.10.2-1 > ii libunique-1.0-0 1.1.6-5 > ii libwebkitgtk-1.0-0 2.4.9-2 > ii lua-filesystem [lua5.1-filesystem] 1.6.2-3 > > luakit recommends no packages. > > luakit suggests no packages. > > -- no debconf information > >
