Hi Mike, thanks for the fast reply.
On Fri, Aug 16, 2019 at 10:10:27AM +0000, Mike Gabriel wrote: > > Another improvement of the fetch-ldap-cert script shipped with d-e-c > > 2.10.67 is the use of independent conditions for host and LTSP chroot > > (instead of the global condition introduced with commit f8f436e); but > > then the drawback caused by this change for LTSP chroots has also been > > dealt with via d-e-c 2.10.66 fixes. > > > > Mike, please comment. > > Futhermore, we now entirely fixed backwards compatibility (new Debian Edu > clients running against old Debian Edu TJENERs). This was the main flaw of > the original Debian 10.0 implementation. You can't use Debian Edu 10 clients > on a network running on a TJENER from 9.x or 8.x. > While investigating this, Petter pointed us to the security flaw of always > updating the LDAP server certificate on clients. Only deploying the LDAP > server cert once protects the user against password sniffing, if someone > malign takes over the network. Sure, but this has already been fixed (somehow) in d-e-c 2.10.66. So if the stable release team disagrees w/ 2.10.67, d-e-c 2.10.66 might be a fallback option. > Thus, fetch-ldap-cert must get into buster IMHO, it's a rewrite and it now > is easy to read, Sure, you improved it quite a lot :) Wolfgang
signature.asc
Description: PGP signature
