Re: Packages that download/install unsecured files
-----BEGIN PGP SIGNED MESSAGE-----
Christoph Anton Mitterer schrieb:
> Some time ago, I've wrote several bug reports to packages, that download
> files from some non-apt-secured sources of the web, and install them.
> I got more or less positive feedback from maintainers that happily
> accepted my suggestions, to those who thought they were crap and not
> necessary ;)
> Some days ago Tom Feiner opened #546945 (and CC'ed) me, which proved me
> that I'm not the only one concerned about this issues.
> So I thought it might be worth to bring them up for discussion here.
Maybe we should also think about the downloaded files itself.
A firmware for Linux or a plugin for firefox could do realy bad things.
In the case of geoip it is just a data file (like a .svg etc) with no
attacking vector. The attacker could only inject a corrupted database
and geoip will throw errors/false positions.
Is this realy a vector for it?
Mit freundlichem Gruß / With kind regards,
GNU/Linux Debian Developer
Always if we think we are right,
we were maybe wrong.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----