Revelation password manager issue
Kevin Fenzi
kevin at scrye.com
Thu Jun 14 14:42:47 UTC 2012
On Thu, 14 Jun 2012 07:40:50 -0500
Josh Bressers <josh at bress.net> wrote:
> Hello all,
>
> I suspect this is going to be a weird problem to figure out.
>
> Relevation password manager
> https://admin.fedoraproject.org/pkgdb/applications/Revelation
> Password Manager
>
> Has been found to be unsafe.
> http://knoxin.blogspot.co.uk/2012/06/revelation-password-manager-considered.html
>
> I would hope it gets fixed at some future point, but something should
> probably be done in the short term.
>
> I'm not sure what Fedora precedent is on issues like this. We can't
> really revoke such a package, and we also want to give users a warning
> to use a different password manager (I'm not entirely sure how to best
> do this).
>
> Does anyone have any thoughts?
Sad ones. ;(
Possible options:
- Push out an update that adds a big warning dialog to the package
pointing to the issues
- Obsolete the package with another password manager thats more secure.
This is not very ideal though as it's unlikely to have the same
features and so on.
- Update the package with a readme, etc on the issue, replacing the
binary. This is non ideal as it's removing functionality (all be it
insecure functionality).
I guess I would say the first option is the best, but thats something
that the maintainer(s) of the package should put together, or at least
agree with someone creating.
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20120614/38ab6de7/attachment.sig>
More information about the devel
mailing list