Re: Packages that download/install unsecured files
On Fri, 2009-09-18 at 18:19 +0300, Tom Feiner wrote:
> Geoip upstream provides the source of these binary databases, so all we need
> to do is find a consistent and reliable way to get new database updates, built
> from source by debian and propagated through the usual apt repositories. This
> looks like a good candidate for volatile/backports. Looks like this method
> works well for clamav-data and other similar packages which needs to update
> databases frequently on stable/oldstable.
Of course,.. if the data could be included directly into a package that
would be much better, but this is not possible for all packages.
If it is possible,.. the maintainer should of course still try to verify
his sources/data using upstream signatures/hases/etc.
In case it is not possible to include it in the package,... the control
or "power" on the hashes/signatures should be held by someone from
Debian.
Cheers,
Chris.
Reply to: