[Pkg-bazaar-maint] Bug#558460: bzr: Needs python-pycurl to verify SSL certificates, but only Suggests it

Josh Triplett josh at joshtriplett.org
Sun Nov 29 04:50:29 UTC 2009 

Package: bzr
Version: 2.0.2-1
Severity: important

(This seems very much like a security bug to me, but I've just filed it as
"important" for now for triage purposes.)

According to the description of bzr:

Install python-paramiko if you are going to push branches to remote hosts with
sftp, and python-pycurl if you'd like for SSL certificates always to be
verified.


While bzr Recommends python-paramiko (assuming, sensibly, that most
people using bzr probably want to push as well as pull), it only
Suggests python-pycurl.

bzr should *not* ignore SSL certificate validation errors by default.
Given the importance of SSL certificate validation, bzr should at least
have a Recommends for python-pycurl, if not a full Depends.

- Josh Triplett

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.31-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages bzr depends on:
ii  libc6                  2.10.2-2          GNU C Library: Shared libraries
ii  python                 2.5.4-2           An interactive high-level object-o
ii  python-celementtree    1.0.5-10          Light-weight toolkit for XML proce
ii  python-central         0.6.13            register and build utility for Pyt
ii  zlib1g                 1:1.2.3.3.dfsg-15 compression library - runtime

Versions of packages bzr recommends:
pn  bzrtools                      <none>     (no description available)
ii  ca-certificates               20090814   Common CA certificates
pn  python-paramiko               <none>     (no description available)

Versions of packages bzr suggests:
pn  bzr-gtk                       <none>     (no description available)
pn  bzr-svn                       <none>     (no description available)
pn  python-kerberos               <none>     (no description available)
pn  python-pycurl                 <none>     (no description available)
ii  xdg-utils                     1.0.2-6.1  desktop integration utilities from

More information about the Pkg-bazaar-maint mailing list