Re: Packages that download/install unsecured files
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Michael S Gilbert schrieb:
> On 9/18/09, Patrick Matthäi <pmatthaei@debian.org> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Michael S Gilbert schrieb:
>>> On Thu, 17 Sep 2009 21:26:38 +0200 Christoph Anton Mitterer wrote:
>>>> Hi.
>>>>
>>>> Some time ago, I've wrote several bug reports to packages, that download
>>>> files from some non-apt-secured sources of the web, and install them.
>>> i also started a similar discussion a while back, which was met with
>>> mixed opinion [0]. i tried to lay out the full spectrum of issues
>>> related to this problem, but many just focused on the non-free aspect.
>>> no consensus was reached.
>>>
>>> checksums are a good start, but if the data itself is non-free (or
>>> closed or obscured), then how can you be sure it is not malicious?
>>>
>>> i think it is a matter of trust, and maybe the key would be that scripts
>>> should only accept the external data if it is signed and hashed by an
>>> authenticated DD's gpg key.
>> This would be a good option. But I think you do not have access to the
>> upstream files and also you can not sign them, maybe upstream itself
>> also do not want to do it.
>>
>> Hosting them on my own host is also not a good option.
>
> you could host just the hashes for the external files (signed with
> your key) on your site. then you wouldn't have to duplicate
> upstream's data files nor spend (much) of your own bandwidth (since
> the hash files should be fairly small in most cases).
Hmm good idea :)
- --
/*
Mit freundlichem Gruß / With kind regards,
Patrick Matthäi
GNU/Linux Debian Developer
E-Mail: pmatthaei@debian.org
patrick@linux-dev.org
Comment:
Always if we think we are right,
we were maybe wrong.
*/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkqzzKEACgkQ2XA5inpabMdsSQCgg0+9S6my1TCXUZoFn6nR3+N4
tCwAn3ukfDSdOovEl/eoZx3eTU7YUgYi
=YMqo
-----END PGP SIGNATURE-----
Reply to: