Hi distributors (and Epiphany users), Epiphany beginning in 3.14 will block TLS connections from sites with untrusted TLS certificates. We're doing this the same way as other major browsers: we'll display a warning message to the user if the main connection is untrusted (with a button to bypass the warning), and if other connections are untrusted then we block them completely. For example, if a site's CSS is untrusted, it will be blocked and the page will not display properly. Although we are handling verification failures the same way as other major browsers, different browsers have different approaches to certificate verification. We've received some complaints from users that the new version of Epiphany is unable to display certain sites properly, which have been traced back to certificate verification failures. There are various distinct causes of these complaints. Since these bugs make Epiphany seem like a bad browser to users, we'd appreciate it if you carefully consider the impact of these issues when packaging GNOME 3.14. 1) Debian and Ubuntu-based distros are affected by a packaging bug in Debian's ca-certificates package that results in some root certificates being improperly disabled. [1] Needless to say, this is very bad. The bug only affects users who upgrade between certain releases of the package, so please consider if this bug could have affected your users. If so, please either implement an automatic fix for the issue, or attempt to notify users so that it can be fixed manually. Even if your distro is not a Debian derivative, please check to ensure your ca-certificates package is not based on Debian's if it has an update-ca-certificates script. 2) The latest upstream version of ca-certificates removes several root certs with 1024-bit RSA keys, even though valid certificates issued by those certs are still in use [2]. Fedora 21 already has the latest version of ca-certificates, and it has broken popular web sites, including as amazon.com and kickstarter.com, in Epiphany. Please consider delaying any planned update of this package for a few months, until the fallout [3] has passed. Distros shipping GNOME 3.14 should strongly consider sticking with the previous release of ca-certificates, from March 2014. 3) Make sure to package glib-networking 2.42 for an important certificate verification fix [4]. Thanks! [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743339 [2] https://lists.fedoraproject.org/pipermail/devel/2014-August/201700.html [3] https://lists.fedoraproject.org/pipermail/devel/2014-September/202200.html [4] https://git.gnome.org/browse/glib-networking/commit/?id=0e08f17396287d00a69bbbcbec3b364b98cbcace
Attachment:
signature.asc
Description: This is a digitally signed message part