Bug#962407: Bug#954089: libplack-perl: Please verify server identity via SSL

Damyan Ivanov dmn at debian.org
Thu May 26 13:28:16 BST 2022


-=| gregor herrmann, 25.05.2022 22:24:09 +0200 |=-
> On Sun, 07 Jun 2020 17:45:41 +0100, Dominic Hargreaves wrote:
> 
> > Correction, given the amount of time that's passed and that I'm not
> > even sure if the person who responded negatively on the previous
> > issue speaks for the current maintainers, I have opened a new issue:
> > 
> > https://github.com/chansen/p5-http-tiny/issues/134
> 
> Revisiting this issue now, the state seems to be:
> 
> The upstream ticket was closed with
> 
> "On reflection, we shouldn't make this change for backwards compatibility."
> 
> So I guess we are back to the point where we have to discuss if we
> want to make the change on the Debian side and carry the patch (and
> keep the pieces if something breaks).
> 
> I think we had a tendence to say "this change makes sense" and "it
> doesn't look like huge breakage ahead" but I guess someone need to
> pick up this issue and take a deeper look.

I think we should make the change in Debian despite upstream's 
decision.

Anything that breaks was already insecure and keeping it that way is 
actually a disservice.

If I understand correctly we are talking for a fix in unstable that 
would propagate to the next stable release in the usual manner.
Contrary to a security update, this gives plenty of time for users for 
tests.


-- Damyan



More information about the pkg-perl-maintainers mailing list