Revelation password manager issue

Peter Jones pjones at redhat.com
Thu Jun 14 15:04:54 UTC 2012


On 06/14/2012 10:42 AM, Kevin Fenzi wrote:
> On Thu, 14 Jun 2012 07:40:50 -0500
> Josh Bressers <josh at bress.net> wrote:
>
>> Hello all,
>>
>> I suspect this is going to be a weird problem to figure out.
>>
>> Relevation password manager
>> https://admin.fedoraproject.org/pkgdb/applications/Revelation
>> Password Manager
>>
>> Has been found to be unsafe.
>> http://knoxin.blogspot.co.uk/2012/06/revelation-password-manager-considered.html
>>
>> I would hope it gets fixed at some future point, but something should
>> probably be done in the short term.
>>
>> I'm not sure what Fedora precedent is on issues like this. We can't
>> really revoke such a package, and we also want to give users a warning
>> to use a different password manager (I'm not entirely sure how to best
>> do this).
>>
>> Does anyone have any thoughts?
>
> Sad ones. ;(
>
> Possible options:
>
> - Push out an update that adds a big warning dialog to the package
>    pointing to the issues
>
> - Obsolete the package with another password manager thats more secure.
> This is not very ideal though as it's unlikely to have the same
> features and so on.
>
> - Update the package with a readme, etc on the issue, replacing the
>    binary. This is non ideal as it's removing functionality (all be it
>    insecure functionality).
>
> I guess I would say the first option is the best, but thats something
> that the maintainer(s) of the package should put together, or at least
> agree with someone creating.
>

Yeah, a giant honking "this package is insecure read $URL before using"
click-through on startup would be completely reasonable.

-- 
         Peter


More information about the devel mailing list