Hello, Errands is a graphical planning and task organizer application that supports using CalDAV to synchronize tasks from a provider. CalDAV is a set of conventions for using HTTP to access and manage calendar and task data; it's similar to what IMAP is for email. Errands is independently developed but part of the broad GNOME Circle ecosystem.
I was browsing upstream issue reports for an unrelated reason and saw https://github.com/mrvladus/Errands/issues/401 which I'll crudely transcribe the dialogue of below: [2025-08-15] powerjungle (reporter): "Is there a reason TLS certificate verification is disabled by default?" Code snippet: > Errands/errands/lib/sync/providers/caldav.py, Line 89 > ssl_verify_cert=False, Description: > Doesn't seem like a safe approach. Why isn't there a checkbox at least for > the user to choose? > I am aware of the rewrite [then-work-in-progress rewrite of Errands in C > instead of Python], but until then people would still be using the the > current python package in their distros. Effectively, Errands hard-codes in its source to never attempt verification of the certificate. I'm not just referring to validation here like checking a CRL or OCSP, but even name validation, so there is no authentication at all and the user is not notified even when they explicitly give an https:// URL for the server. The author of Errands had this reply: [2025-08-15] mrvladus (maintainer): > I can't remember exactly, but I think it was breaking something so I had to > disable that. I find this even more concerning than the average case of a client accepting any TLS certificate whatsoever, for these reasons: • Errands uses HTTP Basic or Digest authentication which is common for DAV clients, but it means TLS usage is absolutely essential with the password otherwise being sent in the clear. • The calendar and task data is quite revealing on its own; it may have information about one's residence, workplace, attachments, and obligations. Unlike much groupware, a to-do list application like this is often used to record one's own thoughts or priorities with no intention of them being visible to others. Am I overreacting? If this is an issue worthy of being fixed in Trixie, I would appreciate if someone who is better with their words and making the risks understandable why this needs to be made a priority. Above all, I'm sending this mail here to gather opinions about etiquette and to learn where the bar is before making a "big deal" about something. I'm merely an Errands user; I don't maintain the package or have a stake in it otherwise. Thanks, Debian hive mind 😉
signature.asc
Description: This is a digitally signed message part
smime.p7s
Description: S/MIME cryptographic signature
