Quoting IOhannes m zmölnig (2017-10-04 09:31:09) > On Wed, 04 Oct 2017 03:08:17 +0200 Jonas Smedegaard <d...@jones.dk> wrote: > > Quoting Felipe Sateler (2017-10-04 00:32:21) > > > > > > I think your patch mainly addresses issue number 2, doesn't it? Fixing > > > issue 1 would require asking upstream to provide > > > https://mirrors.kodi.tv/addons/krypton/addons.xml.gz.md5 (and upgrade > > > to a better hash algorithm). > > > > Uhm, my patch is the very window to not requiring upstream to solve the > > security issue: > > are you sure you wanted to say this? > > for me it kind of implies that: > - either all users of kodi use it only through the packages provided > (and patched) by Debian. > - or any other users are not affected by the security concerns of using > http:// (e.g because only the http-implementation provided by Debian is > susceptible to mitm-attacks) > - or all non-Debian users simply don't deserve a solution for that > security fix. > > i cannot agree with any of these points, and i do think that any bug > with severity "grave" that is not specific to Debian should be forwarded > to upstream to be solved there (well, actually *any* bug that is non > Debian-sepcific, not just the grave ones) .
You read me wrong. My patch allows us to _fix_ this bug without cordinating with upstream. My patch does not, however, relieve us of our duty to _inform_ upstream of the underlying bug that it fixes. Felipe stated that _fixing_ the bug _requires_ us to involve upstream, and I disagree with (only) that. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
