On Tue 2018-01-02 16:22:12 +0100, Stephan Sürken wrote: > On Thu, 2017-02-16 at 13:54 -0500, Daniel Kahn Gillmor wrote: >> Package: ui-auto >> Version: 1.2.9 > > (...) > >> the debrsign workflow isn't a particularly safe one (see discussion >> on >> https://bugs.debian.org/855282 and https://bugs.debian.org/855320). >> >> ui-auto should not encourage its use, and should probably either >> explicitly deprecate or just drop support for the debrsign option. >> >> Additionally, ui-auto-rsign seems to encourage the same dubious >> workflow of making ssh connections from untrusted machines to trusted >> machines. It should probably be deprecated or removed as well. > > thx for the note :). > > ui-auto is not actively developed any more, it's basically 'compat- > maintained' for projects still using it -- i.e., I do not much like > dropping functionality. > > Would it be sufficient to add appropriate warnings > > - in the example user.conf (*_rsign and *_debrsign options) > - when *_rsign resp. *_debrsign are called (as warning log) > - when ui-auto-rsign is called (as warning log) > > ?
I don't use ui-auto myself, so i can't say for sure where the warnings
are best placed.
The places you mention sound reasonable to me, though.
> Fwiw, both options (rsign or debrsign) are disabled by default and need
> explicit configuration by the user.
right, so wherever they're documented -- where people are likely to look
up the explicit configuration -- is probably a good place for the
warnings.
Finally, if you aren't actually maintaining the software, sometimes it
is better to explicitly terminate its support than to keep it on "life
support" -- explicit termination can help users migrate to
better-suported tools. or, if we're talking about tools within debian
itself, sometimes an explicit orphaning of a project causes another
maintainer to step up and take responsibility for it.
thanks for your work for debian!
all the best,
--dkg
signature.asc
Description: PGP signature

