On 06/06/13 22:19, Adam D. Barratt wrote:> On Thu, 2013-05-23 at 11:10
+0100, Simon McVittie wrote:
>> Cc pkg-telepathy-maintainers: could someone who uses telepathy-idle
>> regularly please pick this up?
Apparently the answer to that is "no". :-(
>> Sorry, I've been holding off on this because the proposed patch is a
>> regression: users who were relying on the ability to get a
>> (man-in-the-middle-vulnerable) connection to a SSL IRC server whose
>> certificate is self-signed or untrusted can no longer do so. I didn't
>> think many people would fall into this category, but apparently quite a
>> lot do...
Does the RT have any opinion on which of the possible resolutions would
be acceptable/preferred for stable?
* upload 0.1.11-2+deb7u1 as-is, and accept the regression
(Ubuntu did this; Sjoerd considers this unacceptable, AIUI)
* add an "ignore SSL errors" option that reverts to the old
insecure behaviour (a small amount of new code, I would guess
~10 lines)
* upload 0.1.16 to wheezy (~1k lines of necessary code for
interactive certificate prompting, ~1k lines of unrelated
bugfixes and an unrelated new feature, but has actually
been tested in this form)
* upload 0.1.16 to wheezy-backports (which should be trivial),
and upload 0.1.11-2+deb7u1 with a NEWS file noting the regression
and suggesting the backport
* backport the certificate bits from 0.1.16 to 0.1.11
(~ 1k lines of necessary code, mostly adapted from
code in telepathy-gabble that is already in stable)
S
--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/51b19bea.2000...@debian.org
