Re: Packages that download/install unsecured files
On Thu Sep 17, 2009 at 21:26:38 +0200, Christoph Anton Mitterer wrote:
> CURRENT SITUATION:
> One can differ between three classes of packages:
> 0) Packages who do not download anything from the web.
> 1) Packages which download stuff but this is just normal data like
> pidgin, firefox (I mean html here, not plugins), wget,..
> 2) Package installation already downloads something and installs this
> e.g. some font packages (msttcorefonts) or documentations (susv2/3) do
> 3) The package provides automatic update scripts (like here), where
> content that in principle belongs to the package is replaced/updated.
> Many packages do this (clamav-freshclam, rkhunter, tiger, some packages
> for firmwares)
I'd add :
4) The package downloads insecure code and directly executes it.
For an example of this see #451303 - which is fixed - but a perfect