On Sat, 18 Feb 2012 15:49:30 +0000, Neil Williams <codehelp@debian.org> wrote: > On Sat, 18 Feb 2012 16:25:20 +0200 > Christoph Anton Mitterer <calestyo@scientia.net> wrote: > > > Am 18.02.2012 14:40, schrieb Neil Williams: > > >> I think as a start it should be made a policy that any "wrapper" > > >> package that > > >> downloads code from the net must at least do a strong checksum check > > >> on the > > >> downloaded code. > > > Not possible to enforce as a 'MUST' because, by definition, > > > third-party > > > websites will not provide checksums for every possible download > > > mechanism. > > > > Well it's still possible then,... the maintainer can just calculate > > sums on his own. > > Against what? The source is only downloaded from upstream once per > upstream release, what is there to check against? He's talking about stuff like flash-nonfree (or whatever) where we ship a wrapper that wgets the actual tarball for you from the distributor, and checks the checksum of whatever it ends up with. The maintainer can grab a copy, checksum it (perhaps if paranoid do the download from elsewhere on a different day, make sure the checksums match), and then sign a package containing the checksum that he generated to ensure that everyone that installs the package gets the same tarball, or sees an error message. Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] http://www.hands.com/ |-| HANDS.COM Ltd. http://www.uk.debian.org/ |(| 10 Onslow Gardens, South Woodford, London E18 1NE ENGLAND
Attachment:
pgp5pywpDXgjb.pgp
Description: PGP signature