Revelation password manager issue
pjones at redhat.com
Thu Jun 14 15:04:54 UTC 2012
On 06/14/2012 10:42 AM, Kevin Fenzi wrote:
> On Thu, 14 Jun 2012 07:40:50 -0500
> Josh Bressers <josh at bress.net> wrote:
>> Hello all,
>> I suspect this is going to be a weird problem to figure out.
>> Relevation password manager
>> Password Manager
>> Has been found to be unsafe.
>> I would hope it gets fixed at some future point, but something should
>> probably be done in the short term.
>> I'm not sure what Fedora precedent is on issues like this. We can't
>> really revoke such a package, and we also want to give users a warning
>> to use a different password manager (I'm not entirely sure how to best
>> do this).
>> Does anyone have any thoughts?
> Sad ones. ;(
> Possible options:
> - Push out an update that adds a big warning dialog to the package
> pointing to the issues
> - Obsolete the package with another password manager thats more secure.
> This is not very ideal though as it's unlikely to have the same
> features and so on.
> - Update the package with a readme, etc on the issue, replacing the
> binary. This is non ideal as it's removing functionality (all be it
> insecure functionality).
> I guess I would say the first option is the best, but thats something
> that the maintainer(s) of the package should put together, or at least
> agree with someone creating.
Yeah, a giant honking "this package is insecure read $URL before using"
click-through on startup would be completely reasonable.
More information about the devel