On Mon, 2021-05-03 at 11:49 +0200, Marc Haber wrote: > apg is dead upstream. We can either pull the package (forcing people > back to pwgen, which probably has comparable issues) or document the > issues away.
I wouldn't pull the package - it's probably still much better to use these passwords than anything the user comes up himself. And anyone doing real security will probably know that pronounceable passwords will have less entropy unless it's something like diceware. > Would you want to provide wording for a README.Debian or an addition > to > the package description? > I would have rather written a patch that adds the information to the manpages and gives a message to stderr when using -a 0. Maybe even mentioning something like diceware to be more secure when it goes about memorable passwords. Would that be okay for you? But even then... do you perhaps happen to have any connections to some better security expert (maybe in the Debian security team)? I'd would like to know whether may point (2) with the capital-letter- must-include modes is a real thing... and whether we should warn about that, too. Only few people would actually read README.Debian. > For bullseye, "pull package" is the only viable solution now. I'd say keep it... the
