On 05/03/2017 12:49 PM, Paul Wise wrote: > On Wed, 2017-05-03 at 12:24 +0200, Moritz Schlarb wrote: > >> - This has been the behavior of the Nagstamon package since forever >> (which is not a valid argumentation point - I know, but it's still a fact) > > There are two serious bugs here: > > 1) that certificates are not verified at least using CAs and or TOFU > > 2) that this fact was deliberately hidden from users > So FWIW I'm not sure I agree about the severity of either of those things. My opinion is that hiding the warning is a regression compared to showing them, so I'd rather we didn't do that in stretch right now.
>> What do you think? > > I think we should enable the warnings in all suites. > > Once verification is available, backport the patch to all suites. > And I disagree that changing the behaviour in a stable release is appropriate. Cheers, Julien
