[Bug 2041751] Re: RM: Remove dangerously insecure MPPE PPTP from Ubuntu

[Christian Ehrhardt ]

The seeding [1] of it is also quite clear on why it is still there.

"""
# This stack is no more very relevant, but was in the early days of internet
# dialin. This stack is a candidate for demotion, but OTOH received no
# bugs/CVEs over the last years and therefore can stay as-is for now.
# ppp itself is still recommended by network-manager and thereby has quite
# an install base.
"""

Removing is maybe too hard as Steve outlined, but what about at least
demoting to universe (to encourage it a bit less)?

The seed change to the section linked above would be trivial, but it
would need coordination with the Desktop variants as a dependency to
network-manager-pptp is in most of the meta packages.

reverse-depends  --release=noble  src:network-manager-pptp
Reverse-Recommends
==================
* network-manager               (for network-manager-pptp)
* ubuntu-budgie-desktop [amd64 arm64 armhf ppc64el]
* ubuntu-budgie-desktop-minimal [amd64 arm64 armhf ppc64el]
* ubuntu-budgie-desktop-raspi [arm64 armhf]
* ubuntu-desktop [amd64 arm64 armhf ppc64el]
* ubuntu-desktop-minimal [amd64 arm64 armhf ppc64el]
* ubuntu-mate-core              (for network-manager-pptp-gnome)
* ubuntu-mate-desktop           (for network-manager-pptp-gnome)
* ubuntu-unity-desktop [amd64 arm64 armhf ppc64el]
* ubuntukylin-desktop           (for network-manager-pptp-gnome)
* vanilla-gnome-desktop [amd64 arm64 armhf ppc64el]
* xubuntu-desktop               (for network-manager-pptp-gnome)
* xubuntu-desktop               (for network-manager-pptp)

Reverse-Depends
===============
* lomiri-indicator-network      (for network-manager-pptp)


It comes at a comfort loss though, since this is depended on by all those meta packages to work right away in a fresh install, which would be a behavior that will be lost.

Also if there is a CVE, then only people using ubuntu pro would get a
fix. Which is free for personal use, but those forced to use pptp are
likely people with non-personal use of outdated infrastructure. So we'd
make the world a bit less secure as likely not all would get the fixes
then.

Still I'd want to know from Steve and Seth which discussed so far - what
would you think about that as a compromise?

[1]: https://git.launchpad.net/~ubuntu-core-dev/ubuntu-
seeds/+git/platform/tree/supported-misc-servers#n190

-- 
You received this bug notification because you are a member of Ubuntu
Package Archive Administrators, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2041751

Title:
  RM: Remove dangerously insecure MPPE PPTP from Ubuntu

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2041751/+subscriptions