neutral2016-htSm2yLGOjU posted on Tue, 04 Jul 2017 21:27:39 +0200 as excerpted:
> i have seen on the feature list, that pan can only use TLS 1.0 . This > Version ist outdated and unsecure. Can you implement a newer version of > the TLS Protocol? As a long-term list participant trying to help people with pan where I can, but not a dev... Updating the TLS code would be useful, but keep in mind for requests such as this that historically, pan development has always come in fits and starts, with lots of activity, updates, new features, etc, for perhaps a year or two, as a particular dev takes a strong interest, especially in scratching some of his own itches but bringing new code to all, interspersed with periods of several years with little more than maintenance patches from the various distro maintainers and others building it themselves and offering patches, primarily to keep pan building with updated of libraries and build toolchain. Currently, pan is in one of those primarily maintenance-mode periods, so unless such a contributor takes an interest in updating the TLS code and provides a patch, it's unlikely to happen for some time. That said, now that you've mentioned it, the chances are greatly improved. =:^) > Especially für Ubuntu 16.04 LTS would be great. That's /extremely/ unlikely. Unless things have changed at Ubuntu in this regard recently, they don't tend to update pan at all in released versions, even when there's a security update[1] and an Ubuntu bug filed about it, as happened some years ago. As a result, Ubuntu users don't normally get pan version updates unless they build it themselves, until they install a new version of Ubuntu that happens to ship a newer pan as part of it. Security updates aside (you'll need to talk to Ubuntu about that), there's a reason versions are labeled LTS. Tho they're /supposed/ to get security updates, the point of running an LTS is that you /don't/ get normal version updates, because the new versions bring new code, likely with new bugs, and users choose an LTS because they prefer not to deal with the risk and hassle involved in that sort of change, even at the cost of not getting new features such as support for newer TLS. So if you're interested in new features such as newer TLS support in packages such as pan, I suggest that an LTS that blocks such version upgrades by policy may not be your best choice. --- [1] Security update: Arguably, it was a minor one, and pan, as an optional-installation minor component, probably wasn't considered worth the trouble. FWIW, the security issue was that pan wasn't taking care to strip the executable bit from saved files. Some groups have people posting malware (tho it's usually MS-platform executables), and in theory at least, they could have posted something targeted at *ix with the executable bit set. If a user happened to download and save that malware, presumably in the middle of a bunch of other downloads, and then click on it while browsing... A workaround was to ensure that the umask was set to mask the executable bits before pan was started, and I actually had (and still have) a wrapper script that I use to launch pan that does just that (among other things I've found useful over the years), but the problem then becomes that pan can't dynamically create and enter new directories, because that requires the executable bit set on the directory. Once pan's directories are already created and the executable bit set appropriately, that's fine, but as I've found over the years, if pan needs to create a new dir, such a wrapper means problems, requiring a manual intervention to fix. Not so bad if you're the one who created the wrapper and thus presumably are familiar enough with Unix style permissions to recognize the problem and know how to fix it, but it'd be a breaking bug for many users. Ubuntu updated pan to the new version that properly masked the executable bit on saved files in their next release, but that was months later. Meanwhile, Ubuntu users remained exposed. Like I said, they probably didn't figure it was worth the trouble (if they noticed the bug filing at all, IIRC no Ubuntu dev ever replied on it), because pan is a non-core optional component that few would have installed, but the fact that they left their users exposed for months despite people going to the trouble of filing the security bug, and despite /other/ distros fixing it and closing their bugs within a month or so, as you no doubt figured out from the discussion above, continues to grate on me to this day. I'm sure it's obvious by now that I don't run either Ubuntu or LTSs, but of course, your computer, your choice. While I might differ in my choices for my systems, I'd not /dream/ of trying to overrule yours for yours, tho of course that doesn't mean I can't try to convince you to change them. =:^) -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your aster." Richard Stallman _______________________________________________ Pan-users mailing list Pan-users@nongnu.org https://lists.nongnu.org/mailman/listinfo/pan-users
