correction of scope of security problem

AFAICS, it's not only affecting resumes, but any upload to a special remote
with chunking enabled.

2 files changed, 4 insertions, 7 deletions

diff --git a/debian/changelog b/debian/changelog
index f24c11da4..d4c586bac 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,8 +8,8 @@ git-annex (6.20160419) unstable; urgency=medium
 
   * Fix bug that prevented resuming of uploads to encrypted special remotes
     that used chunking.
-  * That bug could also expose the names of keys to such remotes when
-    attempting to resume an upload, so it is a minor security issue.
+  * That bug could also expose the names of keys to such remotes, so it is a
+    minor security issue.
   * Fix duplicate progress meter display when downloading from a git remote
     over http with -J.
   * reinject: When src file's content cannot be verified, leave it alone,
diff --git a/doc/bugs/External_special_remote_broken__63__/comment_1_904a186a6400506303cad772ac1a6751._comment b/doc/bugs/External_special_remote_broken__63__/comment_1_904a186a6400506303cad772ac1a6751._comment
index e50f00afb..7fb3b08e5 100644
--- a/doc/bugs/External_special_remote_broken__63__/comment_1_904a186a6400506303cad772ac1a6751._comment
+++ b/doc/bugs/External_special_remote_broken__63__/comment_1_904a186a6400506303cad772ac1a6751._comment
@@ -10,9 +10,6 @@ non-chunked form, since a remote can be reconfigured to add chunking.
 So it's nothing to worry about.
 
 The lack of encryption of the key when checking to resume is definitely a
-bug. A bit of a security bug too, although it only happens when resuming
-uploads. (I double checked the other operations and they all encrypt keys)
-I suppose that if the server was hostile, it could randomly make
-uploads fail, in order to get git-annex to expose content keys via
-this bug when resuming.
+bug. A bit of a security bug too.
+(I double checked the other operations and they all encrypt keys)
 """]]