[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packages that download/install unsecured files

On Thu, 17 Sep 2009 21:26:38 +0200 Christoph Anton Mitterer wrote:
> Hi.
> Some time ago, I've wrote several bug reports to packages, that download
> files from some non-apt-secured sources of the web, and install them.

i also started a similar discussion a while back, which was met with
mixed opinion [0].  i tried to lay out the full spectrum of issues
related to this problem, but many just focused on the non-free aspect.
no consensus was reached.

checksums are a good start, but if the data itself is non-free (or
closed or obscured), then how can you be sure it is not malicious?

i think it is a matter of trust, and maybe the key would be that scripts
should only accept the external data if it is signed and hashed by an
authenticated DD's gpg key.


[0] http://lists.debian.org/debian-devel/2009/02/msg00461.html

Reply to: