[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packages that download/install unsecured files



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael S Gilbert schrieb:
> On Thu, 17 Sep 2009 21:26:38 +0200 Christoph Anton Mitterer wrote:
>> Hi.
>>
>> Some time ago, I've wrote several bug reports to packages, that download
>> files from some non-apt-secured sources of the web, and install them.
> 
> i also started a similar discussion a while back, which was met with
> mixed opinion [0].  i tried to lay out the full spectrum of issues
> related to this problem, but many just focused on the non-free aspect.
> no consensus was reached.
> 
> checksums are a good start, but if the data itself is non-free (or
> closed or obscured), then how can you be sure it is not malicious?
> 
> i think it is a matter of trust, and maybe the key would be that scripts
> should only accept the external data if it is signed and hashed by an
> authenticated DD's gpg key.

This would be a good option. But I think you do not have access to the
upstream files and also you can not sign them, maybe upstream itself
also do not want to do it.

Hosting them on my own host is also not a good option.

> 
> mike
> 
> [0] http://lists.debian.org/debian-devel/2009/02/msg00461.html
> 
> 


- --
/*
Mit freundlichem Gruß / With kind regards,
 Patrick Matthäi
 GNU/Linux Debian Developer

E-Mail: pmatthaei@debian.org
        patrick@linux-dev.org

Comment:
Always if we think we are right,
we were maybe wrong.
*/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkqzGJEACgkQ2XA5inpabMf8LgCgiHwsWxk12w91O4ozp2vEwLsD
IuoAoIErTVqIMWd9muwK0tfBWAgycf3n
=r5nE
-----END PGP SIGNATURE-----


Reply to: