Abhijith,
> > otrs2
> > NOTE: 20200412: Asked upstream for clarity in CVE-2020-1769 patch
> > (abhijith)
> > + NOTE: 20200427: Cannot find the above comment on the various
> > commits/PRs, nor
> > + NOTE: 20200427: on the -dev mailing list. I suspect its entirely safe to
>
> I sent mail directly to the committer.
Thanks for clarifying. If so, please could you add a clarifying note
to dla-needed.txt? I suppose the rough principle here would be to
collect all relevant info so that in the case that someone needs to
take up your work they can do so with minimal duplicated effort.
> > + NOTE: 20200427: disable autocomplete without the cumbersome (and likely
>
> Isn't autocomplete more of a browser dependent thing. I disabled
> autocomplete (without the switches) and tested in firefox but it didn't
> work.
Indeed. For example, in Firefox:
We intentionally ignore autocomplete=off for password forms. We
believe giving users the option to save their passwords will result
in better security than if users use the same simple password on all
sites because otherwise they can't remember them.
-- https://bugzilla.mozilla.org/show_bug.cgi?id=1353035#c2
Regardless and unrelated to the merits of this argument, I am now more
and more inclined to believe this is a no-dsa issue.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` la...@debian.org 🍥 chris-lamb.co.uk
`-
