Debian Bug report logs - #510348
dillo silently accepts expired https certificates

version graph

Package: dillo; Maintainer for dillo is Axel Beckert <abe@debian.org>; Source for dillo is src:dillo.

Reported by: Michael Niedermayer <michaelni@gmx.at>

Date: Wed, 31 Dec 2008 19:21:02 UTC

Severity: grave

Tags: security

Found in version dillo/0.8.6-3

Done: Gürkan Sengün <gurkan@phys.ethz.ch>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Devid Filoni <d.filoni@techemail.com>:
Bug#510348; Package dillo. (Wed, 31 Dec 2008 19:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Niedermayer <michaelni@gmx.at>:
New Bug report received and forwarded. Copy sent to Devid Filoni <d.filoni@techemail.com>. (Wed, 31 Dec 2008 19:21:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Michael Niedermayer <michaelni@gmx.at>
To: submit@bugs.debian.org
Subject: dillo silently accepts expired https certificates
Date: Wed, 31 Dec 2008 20:14:12 +0100
[Message part 1 (text/plain, inline)]
Package: dillo
Version: 0.8.6-3
Severity: grave
Justification: user security hole
Tags: security


dillo silently accepts expired https certificates, an example can be seen at
https://i.broke.the.internet.and.all.i.got.was.this.t-shirt.phreedom.org/
Considering this, i suspect dillo likely also doesnt do other checks on the
certificate, but I did not test this as i dont have a collection of such
certificates.
And accepting expired certifcates alone is already a security issue.


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
Architecture: i386 (i686)

Kernel: Linux 2.6
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

ii  libssl0.9.8            0.9.8g-10         SSL shared libraries

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

I hate to see young programmers poisoned by the kind of thinking
Ulrich Drepper puts forward since it is simply too narrow -- Roman Shaposhnik
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Devid Filoni <d.filoni@techemail.com>:
Bug#510348; Package dillo. (Thu, 01 Jan 2009 15:06:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Neil Moore <neil@s-z.org>:
Extra info received and forwarded to list. Copy sent to Devid Filoni <d.filoni@techemail.com>. (Thu, 01 Jan 2009 15:06:05 GMT) Full text and rfc822 format available.

Message #10 received at 510348@bugs.debian.org (full text, mbox):

From: Neil Moore <neil@s-z.org>
To: 510348@bugs.debian.org
Subject: does not appear to do any certificate validation
Date: Thu, 1 Jan 2009 10:03:25 -0500
The bug appears worse than that.  I also get no errors when accessing
a site with a self-signed certificate; or with the wrong hostname in
the certificate.  This is, I think, a pretty serious flaw as it makes
impersonation or an active man-in-the-middle attack very easy.  On the
other hand, dillo does not display a padlock icon, so it could be
argued that users have no expectation of security from dillo.

-- 
Neil Moore, neil@s-z.org, http://s-z.org/neil/




Information forwarded to debian-bugs-dist@lists.debian.org, Devid Filoni <d.filoni@techemail.com>:
Bug#510348; Package dillo. (Fri, 02 Jan 2009 21:51:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Neil Williams <codehelp@debian.org>:
Extra info received and forwarded to list. Copy sent to Devid Filoni <d.filoni@techemail.com>. (Fri, 02 Jan 2009 21:51:02 GMT) Full text and rfc822 format available.

Message #15 received at 510348@bugs.debian.org (full text, mbox):

From: Neil Williams <codehelp@debian.org>
To: 510348@bugs.debian.org
Subject: New upstream version
Date: Fri, 2 Jan 2009 21:48:16 +0000
[Message part 1 (text/plain, inline)]
One idea would be to special case the existing https:// support and
replace it with a warning message that https:// was disabled due to a
lack of support for full verification.

I had a quick look and it doesn't seem to need a particularly large
change to the source code, if the only change is to https support.

However, dillo is gtk1.2 - the extra gtk1.2 dependencies somewhat
counteract the benefits of having a "small" web browser in the first
place - especially now that so few other applications on devices likely
to need dillo would actually want gtk1.2 at all.

There is a new upstream version, dillo-2.0:
http://misc.andi.de1.cc/dillo/

This version build-depends on libgtk2.0-dev but although packages are
available on the above site, the package itself fails to build due to a
problem in fltk:

g++ -DHAVE_CONFIG_H -I. -I..   -I/usr/local/include -I/usr/include/freetype2 -D_THREAD_SAFE -D_REENTRANT -g -O2 -Wall -W -Wno-unused-parameter -MT libDw_fltk_a-fltkcomplexbutton.o -MD -MP -MF .deps/libDw_fltk_a-fltkcomplexbutton.Tpo -c -o libDw_fltk_a-fltkcomplexbutton.o `test -f 'fltkcomplexbutton.cc' || echo './'`fltkcomplexbutton.cc
fltkcomplexbutton.cc:20:25: error: fltk/events.h: No such file or directory
fltkcomplexbutton.cc:21:25: error: fltk/damage.h: No such file or directory
fltkcomplexbutton.cc:22:24: error: fltk/Group.h: No such file or directory
fltkcomplexbutton.cc:23:22: error: fltk/Box.h: No such file or directory
fltkcomplexbutton.cc:155:23: error: fltk/draw.h: No such file or directory

The upstream package does work and it does exclude https:// support:

$ dillo https://launchpad.net
Hi!

  This is the https dpi that just got a request to send
  the following HTTP query:
{
GET / HTTP/1.1
Connection: close
Accept-Charset: utf-8,*;q=0.8
Accept-Encoding: gzip
Host: launchpad.net
Referer: https://launchpad.net/
User-Agent: Dillo/2.0


}

  *** Dillo's prototype plugin for https support is disabled now ***

  If you want to test this alpha support code, just remove
  line 72 from dpi/https.c, recompile and reinstall.

  (beware that this https support is very limited now)

  To use https and SSL, you must have 
  the OpenSSL development libraries installed.  Check your
  O/S distribution provider, or check out
  www.openssl.org


I'll continue looking at how to get the new version to build in unstable.

-- 


Neil Williams
=============
http://www.data-freedom.org/
http://www.linux.codehelp.co.uk/
http://e-mail.is-not-s.ms/

[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Devid Filoni <d.filoni@techemail.com>:
Bug#510348; Package dillo. (Fri, 02 Jan 2009 22:51:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Neil Williams <codehelp@debian.org>:
Extra info received and forwarded to list. Copy sent to Devid Filoni <d.filoni@techemail.com>. (Fri, 02 Jan 2009 22:51:02 GMT) Full text and rfc822 format available.

Message #20 received at 510348@bugs.debian.org (full text, mbox):

From: Neil Williams <codehelp@debian.org>
To: 510348@bugs.debian.org
Subject: GTK2 version needs static link to FLTK2 snapshot
Date: Fri, 2 Jan 2009 22:48:31 +0000
[Message part 1 (text/plain, inline)]
http://www.fltk.org/software.php?VERSION=2.0.x-r6525

With this upstream version installed, dillo-2.0 builds against
libgtk2.0-dev and libglib2.0-dev.

libc6 (>= 2.7-1), libfontconfig1 (>= 2.4.0), libgcc1 (>= 1:4.1.1),
libjpeg62, libpng12-0 (>= 1.2.13-4), libssl0.9.8 (>= 0.9.8f-5), libstdc+
+6 (>= 4.1.1), libx11-6, libxext6, libxft2 (>> 2.1.1), libxi6,
libxinerama1, libxrender1, zlib1g (>= 1:1.1.4), wget

Sadly, this results in dillo being statically linked against FLTK2 due
to a build decision made in the FLTK2 upstream snapshot:
# fltk2-config --libs
/usr/lib/libfltk2.a

To remove dillo, a rebuild is needed for claws-mail to drop
claws-mail-dillo-viewer.

http://packages.debian.org/sid/claws-mail-dillo-viewer

-- 


Neil Williams
=============
http://www.data-freedom.org/
http://www.linux.codehelp.co.uk/
http://e-mail.is-not-s.ms/

[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Devid Filoni <d.filoni@techemail.com>:
Bug#510348; Package dillo. (Sat, 03 Jan 2009 12:24:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Neil Williams <codehelp@debian.org>:
Extra info received and forwarded to list. Copy sent to Devid Filoni <d.filoni@techemail.com>. (Sat, 03 Jan 2009 12:24:05 GMT) Full text and rfc822 format available.

Message #25 received at 510348@bugs.debian.org (full text, mbox):

From: Neil Williams <codehelp@debian.org>
To: mones@debian.org
Cc: kov@debian.org, claws@thewildbeast.co.uk, 510348@bugs.debian.org
Subject: Removal of dillo and claws-mail dillo plugin?
Date: Sat, 3 Jan 2009 12:21:49 +0000
[Message part 1 (text/plain, inline)]
It looks like dillo could be removed due to the RC bug #510348 but to
do that, the claws-mail-dillo-viewer plugin also needs to be removed.
After only a v.brief look at the claws-mail package, removing that
plugin appears trivial. Are there any other problems with removing the
dillo-viewer from claws-mail?

Can an upload of claws-mail be arranged that drops the dillo-viewer?
(I'm happy to do an NMU if that is a problem.)

-- 


Neil Williams
=============
http://www.data-freedom.org/
http://www.linux.codehelp.co.uk/
http://e-mail.is-not-s.ms/

[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Devid Filoni <d.filoni@techemail.com>:
Bug#510348; Package dillo. (Sat, 03 Jan 2009 12:36:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to <d.filoni@techemail.com>:
Extra info received and forwarded to list. Copy sent to Devid Filoni <d.filoni@techemail.com>. (Sat, 03 Jan 2009 12:36:02 GMT) Full text and rfc822 format available.

Message #30 received at 510348@bugs.debian.org (full text, mbox):

From: "Devid Antonio Filoni" <d.filoni@techemail.com>
To: "Neil Williams" <codehelp@debian.org>, <510348@bugs.debian.org>
Cc: <mones@debian.org>, <kov@debian.org>, <claws@thewildbeast.co.uk>, <510348@bugs.debian.org>
Subject: Re: Bug#510348: Removal of dillo and claws-mail dillo plugin?
Date: Sat, 3 Jan 2009 04:34:09 -0800
I'm the maintainer of dillo package. I'm working on a fltk2 package in order to update dillo to the 2.0 version, I don't think we should remove dillo package right now from unstable as I'm working on it.

Devid Antonio Filoni

--- codehelp@debian.org wrote:

From: Neil Williams <codehelp@debian.org>
To: mones@debian.org
Cc: kov@debian.org, claws@thewildbeast.co.uk, 510348@bugs.debian.org
Subject: Bug#510348: Removal of dillo and claws-mail dillo plugin?
Date: Sat, 3 Jan 2009 12:21:49 +0000

It looks like dillo could be removed due to the RC bug #510348 but to
do that, the claws-mail-dillo-viewer plugin also needs to be removed.
After only a v.brief look at the claws-mail package, removing that
plugin appears trivial. Are there any other problems with removing the
dillo-viewer from claws-mail?

Can an upload of claws-mail be arranged that drops the dillo-viewer?
(I'm happy to do an NMU if that is a problem.)

-- 


Neil Williams
=============
http://www.data-freedom.org/
http://www.linux.codehelp.co.uk/
http://e-mail.is-not-s.ms/





_____________________________________________________________
Are you a Techie? Get Your Free Tech Email Address Now! Visit http://www.TechEmail.com




Information forwarded to debian-bugs-dist@lists.debian.org, Devid Filoni <d.filoni@techemail.com>:
Bug#510348; Package dillo. (Sat, 03 Jan 2009 13:09:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul <claws@thewildbeast.co.uk>:
Extra info received and forwarded to list. Copy sent to Devid Filoni <d.filoni@techemail.com>. (Sat, 03 Jan 2009 13:09:02 GMT) Full text and rfc822 format available.

Message #35 received at 510348@bugs.debian.org (full text, mbox):

From: Paul <claws@thewildbeast.co.uk>
To: Neil Williams <codehelp@debian.org>
Cc: mones@debian.org, kov@debian.org, 510348@bugs.debian.org
Subject: Re: Removal of dillo and claws-mail dillo plugin?
Date: Sat, 3 Jan 2009 13:05:45 +0000
On Sat, 3 Jan 2009 12:21:49 +0000
Neil Williams <codehelp@debian.org> wrote: 

> After only a v.brief look at the claws-mail package, removing that
> plugin appears trivial. Are there any other problems with removing the
> dillo-viewer from claws-mail?

Should dillo need to be removed, building claws-mail without the dillo-plugin
is simple.

best regards

Paul


-- 
It isn't worth a nickel to two guys like you or me, 
but to a collector it is worth a fortune 




Information forwarded to debian-bugs-dist@lists.debian.org, Devid Filoni <d.filoni@techemail.com>:
Bug#510348; Package dillo. (Sat, 03 Jan 2009 15:33:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Neil McGovern <neilm@debian.org>:
Extra info received and forwarded to list. Copy sent to Devid Filoni <d.filoni@techemail.com>. (Sat, 03 Jan 2009 15:33:02 GMT) Full text and rfc822 format available.

Message #40 received at 510348@bugs.debian.org (full text, mbox):

From: Neil McGovern <neilm@debian.org>
To: 510348@bugs.debian.org
Cc: claws-mail@packages.debian.org
Subject: Dillo removal
Date: Sat, 3 Jan 2009 15:28:31 +0000
[Message part 1 (text/plain, inline)]
I've removed dillo from lenny, as it should be obvious that we can't
accept a new gtk port at this time in the freeze.

I've uploaded claws-mail in t-p-u, disabling the dillo plugin. Bug with
diff to follow shortly.

Thanks,
Neil
-- 
<weasel> dpkg: shut up
<dpkg> No, I won't, and you can't make me. :P
<weasel> hah.  _I_ can
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Devid Filoni <d.filoni@techemail.com>:
Bug#510348; Package dillo. (Sat, 03 Jan 2009 15:57:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Gustavo Noronha Silva <kov@debian.org>:
Extra info received and forwarded to list. Copy sent to Devid Filoni <d.filoni@techemail.com>. (Sat, 03 Jan 2009 15:57:02 GMT) Full text and rfc822 format available.

Message #45 received at 510348@bugs.debian.org (full text, mbox):

From: Gustavo Noronha Silva <kov@debian.org>
To: Paul <claws@thewildbeast.co.uk>
Cc: Neil Williams <codehelp@debian.org>, mones@debian.org, 510348@bugs.debian.org
Subject: Re: Removal of dillo and claws-mail dillo plugin?
Date: Sat, 03 Jan 2009 13:53:55 -0200
[Message part 1 (text/plain, inline)]
On Sat, 2009-01-03 at 13:05 +0000, Paul wrote:
> > After only a v.brief look at the claws-mail package, removing that
> > plugin appears trivial. Are there any other problems with removing the
> > dillo-viewer from claws-mail?
> 
> Should dillo need to be removed, building claws-mail without the dillo-plugin
> is simple.

Also, I'm not sure if that would help claws-mail, but there seems to be
a Tcl/Tk program that should cover any use-cases a dillo removal may
leave uncovered: http://tkhtml.tcl.tk/hv3.html. It's not yet in Debian,
but may be an option for Squeeze.

See you,

-- 
Gustavo Noronha Silva <kov@debian.org>
Debian Project
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Devid Filoni <d.filoni@techemail.com>:
Bug#510348; Package dillo. (Sat, 03 Jan 2009 15:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Devid Filoni <d.filoni@techemail.com>. (Sat, 03 Jan 2009 15:57:03 GMT) Full text and rfc822 format available.

Message #50 received at 510348@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Neil McGovern <neilm@debian.org>
Cc: 510348@bugs.debian.org, claws-mail@packages.debian.org
Subject: Re: Dillo removal
Date: Sat, 3 Jan 2009 16:55:00 +0100
On Sat, Jan 03, 2009 at 03:28:31PM +0000, Neil McGovern wrote:
> I've removed dillo from lenny, as it should be obvious that we can't
> accept a new gtk port at this time in the freeze.

That's a fairly hasty decision and a severe regression to existing
users given that about three percent of all popcon users have dillo
installed and about one percent use it frequently.

A 30 second peek into the rules files shows that there's even a
configure option to disable SSL support...

--
        ./configure $(CONFFLAGS) \
                                --prefix=/usr \
                                --sysconfdir=/etc \
                                --enable-ipv6 \
                                --enable-ssl \
                                --enable-meta-refresh \
                                --disable-dlgui \
                                CFLAGS="$(CFLAGS)" \
--

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Devid Filoni <d.filoni@techemail.com>:
Bug#510348; Package dillo. (Sat, 03 Jan 2009 16:09:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Neil McGovern <maulkin@halon.org.uk>:
Extra info received and forwarded to list. Copy sent to Devid Filoni <d.filoni@techemail.com>. (Sat, 03 Jan 2009 16:09:02 GMT) Full text and rfc822 format available.

Message #55 received at 510348@bugs.debian.org (full text, mbox):

From: Neil McGovern <maulkin@halon.org.uk>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: 510348@bugs.debian.org, claws-mail@packages.debian.org
Subject: Re: Dillo removal
Date: Sat, 3 Jan 2009 16:05:58 +0000
On Sat, Jan 03, 2009 at 04:55:00PM +0100, Moritz Muehlenhoff wrote:
> On Sat, Jan 03, 2009 at 03:28:31PM +0000, Neil McGovern wrote:
> > I've removed dillo from lenny, as it should be obvious that we can't
> > accept a new gtk port at this time in the freeze.
> 
> That's a fairly hasty decision and a severe regression to existing
> users given that about three percent of all popcon users have dillo
> installed and about one percent use it frequently.
> 

I did check popcon before adding my hint.

> A 30 second peek into the rules files shows that there's even a
> configure option to disable SSL support...
> 

It also seems to be gtk1.2, which was the other reason for removal. I'm
not sure that the requirement to bring in gtk1.2 helps the case for a
lightweight browser, especially as we're trying to remove gtk1.

Neil
-- 
A. Because it breaks the logical sequence of discussion
Q. Why is top posting bad?
gpg key - http://www.halon.org.uk/pubkey.txt ; the.earth.li B345BDD3




Information forwarded to debian-bugs-dist@lists.debian.org, Devid Filoni <d.filoni@techemail.com>:
Bug#510348; Package dillo. (Sat, 03 Jan 2009 16:54:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Devid Filoni <d.filoni@techemail.com>. (Sat, 03 Jan 2009 16:54:08 GMT) Full text and rfc822 format available.

Message #60 received at 510348@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Neil McGovern <maulkin@halon.org.uk>
Cc: 510348@bugs.debian.org, claws-mail@packages.debian.org
Subject: Re: Dillo removal
Date: Sat, 3 Jan 2009 17:52:16 +0100
Neil McGovern wrote:
> > A 30 second peek into the rules files shows that there's even a
> > configure option to disable SSL support...
> > 
> 
> It also seems to be gtk1.2, which was the other reason for removal. I'm
> not sure that the requirement to bring in gtk1.2 helps the case for a
> lightweight browser, especially as we're trying to remove gtk1.

Noone's trying to deprecate gtk1.2 for Lenny and for Squeeze the gtk2 based
version can be uploaded.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Devid Filoni <d.filoni@techemail.com>:
Bug#510348; Package dillo. (Sat, 03 Jan 2009 19:00:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Luk Claes <luk@debian.org>:
Extra info received and forwarded to list. Copy sent to Devid Filoni <d.filoni@techemail.com>. (Sat, 03 Jan 2009 19:00:02 GMT) Full text and rfc822 format available.

Message #65 received at 510348@bugs.debian.org (full text, mbox):

From: Luk Claes <luk@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 510348@bugs.debian.org
Cc: Neil McGovern <maulkin@halon.org.uk>, claws-mail@packages.debian.org
Subject: Re: Bug#510348: Dillo removal
Date: Sat, 03 Jan 2009 19:57:07 +0100
Moritz Muehlenhoff wrote:
> Neil McGovern wrote:
>>> A 30 second peek into the rules files shows that there's even a
>>> configure option to disable SSL support...
>>>
>> It also seems to be gtk1.2, which was the other reason for removal. I'm
>> not sure that the requirement to bring in gtk1.2 helps the case for a
>> lightweight browser, especially as we're trying to remove gtk1.
> 
> Noone's trying to deprecate gtk1.2 for Lenny and for Squeeze the gtk2 based
> version can be uploaded.

There were several efforts to reduce the dependency on gtk1.2, it's only
unfortunate that most people were not convinced that we really wanted to
get rid of gtk1.2 otherwise it would already have happened.

Cheers

Luk




Information forwarded to debian-bugs-dist@lists.debian.org, Devid Filoni <d.filoni@techemail.com>:
Bug#510348; Package dillo. (Sat, 03 Jan 2009 19:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Devid Filoni <d.filoni@techemail.com>. (Sat, 03 Jan 2009 19:57:03 GMT) Full text and rfc822 format available.

Message #70 received at 510348@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Luk Claes <luk@debian.org>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, 510348@bugs.debian.org, Neil McGovern <maulkin@halon.org.uk>, claws-mail@packages.debian.org
Subject: Re: Bug#510348: Dillo removal
Date: Sat, 3 Jan 2009 20:55:54 +0100
On Sat, Jan 03, 2009 at 07:57:07PM +0100, Luk Claes wrote:
> Moritz Muehlenhoff wrote:
> > Neil McGovern wrote:
> >>> A 30 second peek into the rules files shows that there's even a
> >>> configure option to disable SSL support...
> >>>
> >> It also seems to be gtk1.2, which was the other reason for removal. I'm
> >> not sure that the requirement to bring in gtk1.2 helps the case for a
> >> lightweight browser, especially as we're trying to remove gtk1.
> > 
> > Noone's trying to deprecate gtk1.2 for Lenny and for Squeeze the gtk2 based
> > version can be uploaded.
> 
> There were several efforts to reduce the dependency on gtk1.2, it's only
> unfortunate that most people were not convinced that we really wanted to
> get rid of gtk1.2 otherwise it would already have happened.

I'm fully aware of that, actually I was involved in getting GTK1.2 removed.
But it's not a valid argument against dropping Dillo at this point.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Devid Filoni <d.filoni@techemail.com>:
Bug#510348; Package dillo. (Sat, 03 Jan 2009 20:36:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Neil McGovern <maulkin@halon.org.uk>:
Extra info received and forwarded to list. Copy sent to Devid Filoni <d.filoni@techemail.com>. (Sat, 03 Jan 2009 20:36:02 GMT) Full text and rfc822 format available.

Message #75 received at 510348@bugs.debian.org (full text, mbox):

From: Neil McGovern <maulkin@halon.org.uk>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: Luk Claes <luk@debian.org>, 510348@bugs.debian.org, claws-mail@packages.debian.org
Subject: Re: Bug#510348: Dillo removal
Date: Sat, 3 Jan 2009 20:28:53 +0000
On Sat, Jan 03, 2009 at 08:55:54PM +0100, Moritz Muehlenhoff wrote:
> On Sat, Jan 03, 2009 at 07:57:07PM +0100, Luk Claes wrote:
> > Moritz Muehlenhoff wrote:
> > > Neil McGovern wrote:
> > >>> A 30 second peek into the rules files shows that there's even a
> > >>> configure option to disable SSL support...
> > >>>
> > >> It also seems to be gtk1.2, which was the other reason for removal. I'm
> > >> not sure that the requirement to bring in gtk1.2 helps the case for a
> > >> lightweight browser, especially as we're trying to remove gtk1.
> > > 
> > > Noone's trying to deprecate gtk1.2 for Lenny and for Squeeze the gtk2 based
> > > version can be uploaded.
> > 
> > There were several efforts to reduce the dependency on gtk1.2, it's only
> > unfortunate that most people were not convinced that we really wanted to
> > get rid of gtk1.2 otherwise it would already have happened.
> 
> I'm fully aware of that, actually I was involved in getting GTK1.2 removed.
> But it's not a valid argument against dropping Dillo at this point.
> 

Apologies, I may not have made it clear: I don't consider a browser
without ssl support to be well featured enough for us. We've finally
removed the rest of the ones that don't support it, and I'm not keen to
introduce another.
If you can fix this bug, then I'll look at reintroducing it.

Thanks,
Neil
-- 
A. Because it breaks the logical sequence of discussion
Q. Why is top posting bad?
gpg key - http://www.halon.org.uk/pubkey.txt ; the.earth.li B345BDD3




Information forwarded to debian-bugs-dist@lists.debian.org, Devid Filoni <d.filoni@techemail.com>:
Bug#510348; Package dillo. (Sun, 04 Jan 2009 01:33:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Wookey <wookey@wookware.org>:
Extra info received and forwarded to list. Copy sent to Devid Filoni <d.filoni@techemail.com>. (Sun, 04 Jan 2009 01:33:11 GMT) Full text and rfc822 format available.

Message #80 received at 510348@bugs.debian.org (full text, mbox):

From: Wookey <wookey@wookware.org>
To: 510348@bugs.debian.org
Subject: PLease don't remove dillo
Date: Sun, 4 Jan 2009 01:29:20 +0000
I really don't think removing Dillo is the right thing to do. It is
widely used - I use it every day, for example. I am not aware of
any other browser which has the same speed and window-handling
which is particularly suitable for images. Even with https support
turned off it would still be very useful.

I am working on fixing the actual SSL checking problem (there is some
certificate-checking code in there already - it just doesn't seem to
be working right, so it doesn't look too intractable).

Presumably the https support has been broken for years and that didn't
cause it to get thrown out, so chucking it now, just because the
problem has been noticed, is not warranted - it's a huge regression. 

We can warn people prominently in the postinst or just turn off ssl.
Hopefully I can actually fix the problem. So hold off binning it please.

Wookey
-- 
Principal hats:  Balloonz - Toby Churchill - Aleph One - Debian
http://wookware.org/




Information forwarded to debian-bugs-dist@lists.debian.org, Devid Filoni <d.filoni@techemail.com>:
Bug#510348; Package dillo. (Thu, 08 Jan 2009 20:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andreas Kemnade <andreas@kemnade.info>:
Extra info received and forwarded to list. Copy sent to Devid Filoni <d.filoni@techemail.com>. (Thu, 08 Jan 2009 20:21:03 GMT) Full text and rfc822 format available.

Message #85 received at 510348@bugs.debian.org (full text, mbox):

From: Andreas Kemnade <andreas@kemnade.info>
To: 510348@bugs.debian.org
Subject: dillo2.0 fltk package
Date: Thu, 8 Jan 2009 20:51:42 +0100
[Message part 1 (text/plain, inline)]
Hi,

just to introduce myself. I'm the creator of that package on
http://misc.andi.de1.cc/dillo

I have provided that one so that debian users can quickly install
dillo. It is not the cleanest way to create a debian package,..
but the quickest.

I did not use pbuilder.
Because I do not know what's the clean way with fltk2 (since it is
a snapshot ...) I decided to
not package it and I just did the usual ./configure && make && make install
for the fltk snapshot
before starting dpkg-buildpackage.
And yes, the build dependencies are wrong (gtk is of course no build dependancy).
I just took the old debian diff and changed it as less as needed.

Greetings
Andreas Kemnade
[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Devid Filoni <d.filoni@techemail.com>:
Bug#510348; Package dillo. (Thu, 08 Jan 2009 20:51:18 GMT) Full text and rfc822 format available.

Acknowledgement sent to <d.filoni@techemail.com>:
Extra info received and forwarded to list. Copy sent to Devid Filoni <d.filoni@techemail.com>. (Thu, 08 Jan 2009 20:51:20 GMT) Full text and rfc822 format available.

Message #90 received at 510348@bugs.debian.org (full text, mbox):

From: "Devid Antonio Filoni" <d.filoni@techemail.com>
To: "Andreas Kemnade" <andreas@kemnade.info>, <510348@bugs.debian.org>
Subject: Re: Bug#510348: dillo2.0 fltk package
Date: Thu, 8 Jan 2009 12:47:15 -0800
Hi,
I've worked on a fltk2 package and it seems to be ok, my sponsor will upload it as soon as possible and then I will update the dillo package. I'm sorry for the delay with this.

Devid Antonio Filoni

--- andreas@kemnade.info wrote:

From: Andreas Kemnade <andreas@kemnade.info>
To: 510348@bugs.debian.org
Subject: Bug#510348: dillo2.0 fltk package
Date: Thu, 8 Jan 2009 20:51:42 +0100

Hi,

just to introduce myself. I'm the creator of that package on
http://misc.andi.de1.cc/dillo

I have provided that one so that debian users can quickly install
dillo. It is not the cleanest way to create a debian package,..
but the quickest.

I did not use pbuilder.
Because I do not know what's the clean way with fltk2 (since it is
a snapshot ...) I decided to
not package it and I just did the usual ./configure && make && make install
for the fltk snapshot
before starting dpkg-buildpackage.
And yes, the build dependencies are wrong (gtk is of course no build dependancy).
I just took the old debian diff and changed it as less as needed.

Greetings
Andreas Kemnade




_____________________________________________________________
Are you a Techie? Get Your Free Tech Email Address Now! Visit http://www.TechEmail.com




Reply sent to Gürkan Sengün <gurkan@phys.ethz.ch>:
You have taken responsibility. (Wed, 21 Apr 2010 15:30:28 GMT) Full text and rfc822 format available.

Notification sent to Michael Niedermayer <michaelni@gmx.at>:
Bug acknowledged by developer. (Wed, 21 Apr 2010 15:30:28 GMT) Full text and rfc822 format available.

Message #95 received at 510348-done@bugs.debian.org (full text, mbox):

From: Gürkan Sengün <gurkan@phys.ethz.ch>
To: 560874-done@bugs.debian.org, 510348-done@bugs.debian.org, 515271-done@bugs.debian.org, 535788-done@bugs.debian.org
Subject: dillo has been removed
Date: Wed, 21 Apr 2010 17:16:10 +0200
thus the bug is not relevant anymore.
(it's not likely it's coming back since, the old dillo used to use gtk 1.x which 
was getting replaced with gtk 2, and nowadays dillo wants fltk a version that's 
not in debian)




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 20 May 2010 07:36:50 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 02:50:03 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.