[MERGE] [0.90] Disable patch verification (broken for CRLF files)
James Westby
jw+debian at jameswestby.net
Mon Aug 13 17:52:57 BST 2007
On (13/08/07 11:45), John Arbash Meinel wrote:
> The chance of exploiting the change is pretty minimal, will only be
> exposed for about 1 month, and is a lot less disruptive than preventing
> bundles completely.
>
I'm uneasy about opening up a known hole, but yes the alternative is
worse in this case.
There is another option however, that a fix is implemented that does not
open the hole. I assume that is too costly for this stage in the
release, if so then we should go for the least bad option.
Thanks,
James
--
James Westby -- GPG Key ID: B577FE13 -- http://jameswestby.net/
seccure key - (3+)k7|M*edCX/.A:n*N!>|&7U.L#9E)Tu)T0>AM - secp256r1/nistp256
More information about the bazaar
mailing list