Bug#619439: Please do _not_ distribute gnutls-params in the package
Klaus Ethgen
Klaus at Ethgen.de
Thu Mar 24 19:52:10 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
> Good evening,
The same to you, thanks.
Am Do den 24. Mär 2011 um 19:22 schrieb Andreas Metzler:
> > The file /var/spool/exim4/gnutls-params can be find in exim4-base. This
> > file is of security relevance for TLS sessions of exim. So this file
> > must not shared between different installations and must not be readable
> > by other than exim itself.
[...]
> could you please consult <http://bugs.debian.org/475194> and
> doublecheck whether you have new info to add?
So let me sum up. You did change that due a anonymous person was
thinking that he (or she) is better than the people that program exim?
I'm not in the material to tell if it is true or false he says but there
is the recommendation in the manual and just a word of a anonymous is
enough to change the settings to a possible more insecure setting.
But I will go into the cryptographic basics to see if he is true. Until
then I cannot say that is is secure to open that prime material to the
world and the fact that debian is trusting a anonymous more than the
exim people do not higher my trust in that package. Sorry to say.
Regards
Klaus
- --
Klaus Ethgen http://www.ethgen.ch/
pub 2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <Klaus at Ethgen.de>
Fingerprint: D7 67 71 C4 99 A6 D4 FE EA 40 30 57 3C 88 26 2B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBTYug6p+OKpjRpO3lAQrsSwgAnhJVq84J5047IoJTOoxEKDn+7+GFsA7e
fBoPTnw3S0XIeNbRU80d4dQTOFBSEcWhpgmDl9SCit1tQsqhaQvT45jMztoFqMBo
0ciSCU9jDZVELl61V0DuiIARSV7zdRc/Xd7d7PDNe80h8DenVLPILRON/PURQZbS
Wk1L4pKBIqgWWr2PvTizjl/BA+ByoZLUvsLOKlSgfDnCVA0G4Ic4DLcXi4n+Ynwv
yq3e4hAXJGSKOCq9V26DqK1yobwAA5CAiULAk7LBYD06EMz3o+DdBGxk/8s7B0Kt
ajSzZ4UnBD7YyhYnr7KlIxNM1CInAvn07Rv3xE8RaxoJOSUYk9Ufkg==
=c3H/
-----END PGP SIGNATURE-----
More information about the Pkg-exim4-maintainers
mailing list