Re: Packages that download/install unsecured files
On Thu, 17 Sep 2009 21:26:38 +0200 Christoph Anton Mitterer wrote:
> Some time ago, I've wrote several bug reports to packages, that download
> files from some non-apt-secured sources of the web, and install them.
i also started a similar discussion a while back, which was met with
mixed opinion . i tried to lay out the full spectrum of issues
related to this problem, but many just focused on the non-free aspect.
no consensus was reached.
checksums are a good start, but if the data itself is non-free (or
closed or obscured), then how can you be sure it is not malicious?
i think it is a matter of trust, and maybe the key would be that scripts
should only accept the external data if it is signed and hashed by an
authenticated DD's gpg key.