Bug#877656: kodi: supports insecure download of non-free addons
IOhannes m zmölnig
zmoelnig at umlaeute.mur.at
Wed Oct 4 07:31:09 UTC 2017
On Wed, 04 Oct 2017 03:08:17 +0200 Jonas Smedegaard <dr at jones.dk> wrote:
> Quoting Felipe Sateler (2017-10-04 00:32:21)
> >
> > I think your patch mainly addresses issue number 2, doesn't it? Fixing
> > issue 1 would require asking upstream to provide
> > https://mirrors.kodi.tv/addons/krypton/addons.xml.gz.md5 (and upgrade
> > to a better hash algorithm).
>
> Uhm, my patch is the very window to not requiring upstream to solve the
> security issue:
are you sure you wanted to say this?
for me it kind of implies that:
- either all users of kodi use it only through the packages provided
(and patched) by Debian.
- or any other users are not affected by the security concerns of using
http:// (e.g because only the http-implementation provided by Debian is
susceptible to mitm-attacks)
- or all non-Debian users simply don't deserve a solution for that
security fix.
i cannot agree with any of these points, and i do think that any bug
with severity "grave" that is not specific to Debian should be forwarded
to upstream to be solved there (well, actually *any* bug that is non
Debian-sepcific, not just the grave ones) .
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 870 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20171004/e28799c5/attachment.sig>
More information about the pkg-multimedia-maintainers
mailing list