[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Pan-users] [feature-request] Implement newer TLS Version in neawsre
|
From: |
Duncan |
|
Subject: |
Re: [Pan-users] [feature-request] Implement newer TLS Version in neawsreader pan? |
|
Date: |
Tue, 4 Jul 2017 23:37:47 +0000 (UTC) |
|
User-agent: |
Pan/0.142 (He slipped to Sam a double gin; b8c8c8ef0) |
neutral2016-htSm2yLGOjU posted on Tue, 04 Jul 2017 21:27:39 +0200 as
excerpted:
> i have seen on the feature list, that pan can only use TLS 1.0 . This
> Version ist outdated and unsecure. Can you implement a newer version of
> the TLS Protocol?
As a long-term list participant trying to help people with pan where I
can, but not a dev...
Updating the TLS code would be useful, but keep in mind for requests such
as this that historically, pan development has always come in fits and
starts, with lots of activity, updates, new features, etc, for perhaps a
year or two, as a particular dev takes a strong interest, especially in
scratching some of his own itches but bringing new code to all,
interspersed with periods of several years with little more than
maintenance patches from the various distro maintainers and others
building it themselves and offering patches, primarily to keep pan
building with updated of libraries and build toolchain.
Currently, pan is in one of those primarily maintenance-mode periods, so
unless such a contributor takes an interest in updating the TLS code and
provides a patch, it's unlikely to happen for some time.
That said, now that you've mentioned it, the chances are greatly
improved. =:^)
> Especially für Ubuntu 16.04 LTS would be great.
That's /extremely/ unlikely. Unless things have changed at Ubuntu in
this regard recently, they don't tend to update pan at all in released
versions, even when there's a security update[1] and an Ubuntu bug filed
about it, as happened some years ago. As a result, Ubuntu users don't
normally get pan version updates unless they build it themselves, until
they install a new version of Ubuntu that happens to ship a newer pan as
part of it.
Security updates aside (you'll need to talk to Ubuntu about that),
there's a reason versions are labeled LTS. Tho they're /supposed/ to get
security updates, the point of running an LTS is that you /don't/ get
normal version updates, because the new versions bring new code, likely
with new bugs, and users choose an LTS because they prefer not to deal
with the risk and hassle involved in that sort of change, even at the
cost of not getting new features such as support for newer TLS.
So if you're interested in new features such as newer TLS support in
packages such as pan, I suggest that an LTS that blocks such version
upgrades by policy may not be your best choice.
---
[1] Security update: Arguably, it was a minor one, and pan, as an
optional-installation minor component, probably wasn't considered worth
the trouble.
FWIW, the security issue was that pan wasn't taking care to strip the
executable bit from saved files. Some groups have people posting malware
(tho it's usually MS-platform executables), and in theory at least, they
could have posted something targeted at *ix with the executable bit set.
If a user happened to download and save that malware, presumably in the
middle of a bunch of other downloads, and then click on it while
browsing...
A workaround was to ensure that the umask was set to mask the executable
bits before pan was started, and I actually had (and still have) a
wrapper script that I use to launch pan that does just that (among other
things I've found useful over the years), but the problem then becomes
that pan can't dynamically create and enter new directories, because that
requires the executable bit set on the directory. Once pan's directories
are already created and the executable bit set appropriately, that's
fine, but as I've found over the years, if pan needs to create a new dir,
such a wrapper means problems, requiring a manual intervention to fix.
Not so bad if you're the one who created the wrapper and thus presumably
are familiar enough with Unix style permissions to recognize the problem
and know how to fix it, but it'd be a breaking bug for many users.
Ubuntu updated pan to the new version that properly masked the executable
bit on saved files in their next release, but that was months later.
Meanwhile, Ubuntu users remained exposed. Like I said, they probably
didn't figure it was worth the trouble (if they noticed the bug filing at
all, IIRC no Ubuntu dev ever replied on it), because pan is a non-core
optional component that few would have installed, but the fact that they
left their users exposed for months despite people going to the trouble
of filing the security bug, and despite /other/ distros fixing it and
closing their bugs within a month or so, as you no doubt figured out from
the discussion above, continues to grate on me to this day.
I'm sure it's obvious by now that I don't run either Ubuntu or LTSs, but
of course, your computer, your choice. While I might differ in my
choices for my systems, I'd not /dream/ of trying to overrule yours for
yours, tho of course that doesn't mean I can't try to convince you to
change them. =:^)
--
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your aster." Richard Stallman