Bug#877656: kodi: supports insecure download of non-free addons
Jonas Smedegaard
jonas at jones.dk
Wed Oct 4 09:33:51 UTC 2017
Quoting IOhannes m zmölnig (2017-10-04 09:31:09)
> On Wed, 04 Oct 2017 03:08:17 +0200 Jonas Smedegaard <dr at jones.dk> wrote:
> > Quoting Felipe Sateler (2017-10-04 00:32:21)
> > >
> > > I think your patch mainly addresses issue number 2, doesn't it? Fixing
> > > issue 1 would require asking upstream to provide
> > > https://mirrors.kodi.tv/addons/krypton/addons.xml.gz.md5 (and upgrade
> > > to a better hash algorithm).
> >
> > Uhm, my patch is the very window to not requiring upstream to solve the
> > security issue:
>
> are you sure you wanted to say this?
>
> for me it kind of implies that:
> - either all users of kodi use it only through the packages provided
> (and patched) by Debian.
> - or any other users are not affected by the security concerns of using
> http:// (e.g because only the http-implementation provided by Debian is
> susceptible to mitm-attacks)
> - or all non-Debian users simply don't deserve a solution for that
> security fix.
>
> i cannot agree with any of these points, and i do think that any bug
> with severity "grave" that is not specific to Debian should be forwarded
> to upstream to be solved there (well, actually *any* bug that is non
> Debian-sepcific, not just the grave ones) .
You read me wrong.
My patch allows us to _fix_ this bug without cordinating with upstream.
My patch does not, however, relieve us of our duty to _inform_ upstream
of the underlying bug that it fixes.
Felipe stated that _fixing_ the bug _requires_ us to involve upstream,
and I disagree with (only) that.
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
More information about the pkg-multimedia-maintainers
mailing list