Bug#877656:

2017-10-05 Thread Martijn Kaijser
As Kodi team member I find this behaviour totally unacceptable. You are modifying the official Kodi source code without any approval from Team Kodi. It also shows there is zero interest in working with upstream (us) to properly solve this potential issue. As such you are in clear violation of our t

Bug#877656: kodi: supports insecure download of non-free addons

2017-10-04 Thread Jonas Smedegaard
Quoting IOhannes m zmölnig (2017-10-04 09:31:09) > On Wed, 04 Oct 2017 03:08:17 +0200 Jonas Smedegaard wrote: > > Quoting Felipe Sateler (2017-10-04 00:32:21) > > > > > > I think your patch mainly addresses issue number 2, doesn't it? Fixing > > > issue 1 would require asking upstream to provide

Bug#877656: kodi: supports insecure download of non-free addons

2017-10-04 Thread IOhannes m zmölnig
On Wed, 04 Oct 2017 03:08:17 +0200 Jonas Smedegaard wrote: > Quoting Felipe Sateler (2017-10-04 00:32:21) > > > > I think your patch mainly addresses issue number 2, doesn't it? Fixing > > issue 1 would require asking upstream to provide > > https://mirrors.kodi.tv/addons/krypton/addons.xml.gz.m

Bug#877656: kodi: supports insecure download of non-free addons

2017-10-03 Thread Jonas Smedegaard
Quoting Felipe Sateler (2017-10-04 00:32:21) > On Tue, Oct 3, 2017 at 7:04 PM, Jonas Smedegaard wrote: >> Quoting Felipe Sateler (2017-10-03 23:32:24) >>> On Tue, Oct 3, 2017 at 5:49 PM, Jonas Smedegaard wrote: Kodi supports downloading and loading addons at runtime. Official addon

Bug#877656: kodi: supports insecure download of non-free addons

2017-10-03 Thread Felipe Sateler
On Tue, Oct 3, 2017 at 7:04 PM, Jonas Smedegaard wrote: > Quoting Felipe Sateler (2017-10-03 23:32:24) >> On Tue, Oct 3, 2017 at 5:49 PM, Jonas Smedegaard wrote: >> > Package: kodi >> > Version: 2:17.3+dfsg1-2 >> > Severity: grave >> >> This severity feels a bit inflated. After all, you can downl

Bug#877656: kodi: supports insecure download of non-free addons

2017-10-03 Thread Jonas Smedegaard
Quoting Felipe Sateler (2017-10-03 23:32:24) > On Tue, Oct 3, 2017 at 5:49 PM, Jonas Smedegaard wrote: > > Package: kodi > > Version: 2:17.3+dfsg1-2 > > Severity: grave > > This severity feels a bit inflated. After all, you can download and > run non-free programs using a web browser too! When y

Bug#877656: kodi: supports insecure download of non-free addons

2017-10-03 Thread Felipe Sateler
On Tue, Oct 3, 2017 at 5:49 PM, Jonas Smedegaard wrote: > Package: kodi > Version: 2:17.3+dfsg1-2 > Severity: grave This severity feels a bit inflated. After all, you can download and run non-free programs using a web browser too! > Tags: security upstream patch > Justification: user security ho

Bug#877656: kodi: supports insecure download of non-free addons

2017-10-03 Thread Jonas Smedegaard
Package: kodi Version: 2:17.3+dfsg1-2 Severity: grave Tags: security upstream patch Justification: user security hole -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Kodi supports downloading and loading addons at runtime. Official addon feed is served only via http and contain non-free addons.