[Pkg-bitcoin-devel] Bug#792231: This needs examined as soon as possible
Thomas Ward
teward at dark-net.net
Mon Aug 3 14:53:00 UTC 2015
On 08/03/2015 10:41 AM, Tristan Seligmann wrote:
> Unfortunately there are some significant challenges with 2.0+. The
> primary issue is the dependency on tlslite, which was removed from
> Debian previously due to being insecure and unmaintained. In addition,
> quite a bit of the certificate handling code does things incorrectly
> (see eg. the certificate chain verification code[1] that does not
> check the certificate purpose, allowing anyone with a valid cert to
> sign a fraudulent cert as if they were a CA).
>
> I would very much welcome help with these issues, but be warned there
> is most likely a fair amount of work involved in either rewriting the
> cert-handling code to use another library (probably
> python-openssl/python-cryptography), or resurrecting and maintaining
> the tlslite package.
>
> [1]
> https://github.com/spesmilo/electrum/blob/master/lib/paymentrequest.py#L119
If that's the case, does it even remain feasible to keep this in Debian
with a year-old version that has its own incompatibilities with future
versions and its own problems?
Based solely on what you've said (a dependency doesn't exist anymore,
other handling codes being bad and thereby introducing a MITM problem,
etc.), it *sounds* like it should be removed...
Thomas
More information about the Pkg-bitcoin-devel
mailing list