On 06/14/2012 10:42 AM, Kevin Fenzi wrote:
On Thu, 14 Jun 2012 07:40:50 -0500
Josh Bressers <josh@xxxxxxxxx> wrote:
Hello all,
I suspect this is going to be a weird problem to figure out.
Relevation password manager
https://admin.fedoraproject.org/pkgdb/applications/Revelation
Password Manager
Has been found to be unsafe.
http://knoxin.blogspot.co.uk/2012/06/revelation-password-manager-considered.html
I would hope it gets fixed at some future point, but something should
probably be done in the short term.
I'm not sure what Fedora precedent is on issues like this. We can't
really revoke such a package, and we also want to give users a warning
to use a different password manager (I'm not entirely sure how to best
do this).
Does anyone have any thoughts?
Sad ones. ;(
Possible options:
- Push out an update that adds a big warning dialog to the package
pointing to the issues
- Obsolete the package with another password manager thats more secure.
This is not very ideal though as it's unlikely to have the same
features and so on.
- Update the package with a readme, etc on the issue, replacing the
binary. This is non ideal as it's removing functionality (all be it
insecure functionality).
I guess I would say the first option is the best, but thats something
that the maintainer(s) of the package should put together, or at least
agree with someone creating.
Yeah, a giant honking "this package is insecure read $URL before using"
click-through on startup would be completely reasonable.
--
Peter
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
