Re: Packages that download/install unsecured files

To: debian-devel@lists.debian.org
Subject: Re: Packages that download/install unsecured files
From: Michael S Gilbert <michael.s.gilbert@gmail.com>
Date: Thu, 17 Sep 2009 23:02:05 -0400
Message-id: <[🔎] 20090917230205.48fd6e67.michael.s.gilbert@gmail.com>
In-reply-to: <[🔎] 1253215598.9026.57.camel@fermat.scientia.net>
References: <[🔎] 1253215598.9026.57.camel@fermat.scientia.net>

On Thu, 17 Sep 2009 21:26:38 +0200 Christoph Anton Mitterer wrote:
> Hi.
> 
> Some time ago, I've wrote several bug reports to packages, that download
> files from some non-apt-secured sources of the web, and install them.

i also started a similar discussion a while back, which was met with
mixed opinion [0].  i tried to lay out the full spectrum of issues
related to this problem, but many just focused on the non-free aspect.
no consensus was reached.

checksums are a good start, but if the data itself is non-free (or
closed or obscured), then how can you be sure it is not malicious?

i think it is a matter of trust, and maybe the key would be that scripts
should only accept the external data if it is signed and hashed by an
authenticated DD's gpg key.

mike

[0] http://lists.debian.org/debian-devel/2009/02/msg00461.html

Reply to:

Follow-Ups:
- Re: Packages that download/install unsecured files
  - From: Patrick Matthäi <pmatthaei@debian.org>
- Re: Packages that download/install unsecured files
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

References:
- Packages that download/install unsecured files
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

Prev by Date: Re: Of the use of native packages for programs not specific to Debian.
Next by Date: Re: Packages that download/install unsecured files
Previous by thread: Re: Packages that download/install unsecured files
Next by thread: Re: Packages that download/install unsecured files
Index(es):
- Date
- Thread