Re: Packages that download/install unsecured files
On 9/18/09, Patrick Matthäi <email@example.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Michael S Gilbert schrieb:
>> On Thu, 17 Sep 2009 21:26:38 +0200 Christoph Anton Mitterer wrote:
>>> Some time ago, I've wrote several bug reports to packages, that download
>>> files from some non-apt-secured sources of the web, and install them.
>> i also started a similar discussion a while back, which was met with
>> mixed opinion . i tried to lay out the full spectrum of issues
>> related to this problem, but many just focused on the non-free aspect.
>> no consensus was reached.
>> checksums are a good start, but if the data itself is non-free (or
>> closed or obscured), then how can you be sure it is not malicious?
>> i think it is a matter of trust, and maybe the key would be that scripts
>> should only accept the external data if it is signed and hashed by an
>> authenticated DD's gpg key.
> This would be a good option. But I think you do not have access to the
> upstream files and also you can not sign them, maybe upstream itself
> also do not want to do it.
> Hosting them on my own host is also not a good option.
you could host just the hashes for the external files (signed with
your key) on your site. then you wouldn't have to duplicate
upstream's data files nor spend (much) of your own bandwidth (since
the hash files should be fairly small in most cases).
or maybe there could be a hash.debian.org or a project on alioth to
centralize the hashes?