On Wed, Oct 23, 2013 at 12:35:09AM +0200, Thibaut Varène wrote: > > intrig...@debian.org wrote (08 Oct 2013 09:27:56 GMT) : > >> as you are surely aware of, it's been known [1] since 2006 that > >> clients supporting both OTRv1 and v2 (such as libotr 3.x) are subject > >> to protocol downgrade attacks clients. It's also been known for > >> a while that OTRv1 has serious security issues (that were the main > >> reason for a v2, actually). In short, support v2 only is the only safe > >> way to go these days. > > > >> [1] http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.165.7945 > > > >> It took a while to obsolete older v1-only software, and another while > >> to complete the libotr 4.x transition and get to a sane state in > >> Debian testing. Now, I think the time has come when we can reasonably > >> expect v2-only to work for everyone. > > > >> I think that the only reasonable course of action from now on is to > >> patch libotr in stable and oldstable to only support OTR v1. > > > > (s/v1/v2/ in the last sentence, obviously.) > > > > Ping? If you have no time to take care of that, fair enough, but then > > I would really appreciate to read your general opinion on the matter, > > even if it's a simple "please go ahead and NMU". Thanks in advance! > > I have to admit having absolutely no time to deal with that. If everyone is > fine this won't be disruptive for existing users of otr (it's not entirely > clear to me what the implications of such a change are, TBH), you're more > than welcome to NMU if you're confident this is The Right Thing(tm). > > Cheers, > > T-Bone
To be explicit, removing support for OTRv1 from libotr 3.x is totally fine (and indeed libotr 4.x has already done it). - Ian -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
