Hi Dmitry, Le vendredi, 14 septembre 2012 13.19:43, Dmitry Smirnov a écrit : > Package name: libdvdcss-pkg Surprising package. > * Installer is implemented as shell script installed as DPKG post-invoke > handler. > > * Host package version meant to me an exact match of guest package > with debian/watch file inherited from guest package for notifications > about new upstream versions. uscan does absolutely no checking of the resulting tarball so this is sensitive to DNS MITM (at least). IMHO having a tighter connection between this libdvdcss-pkg and the upstream tarballs hashsums would be a good idea: you would need to upload a new version of libdvdcss-pkg for each new version of libdvdcss to tighten the trust chain. Cheers, OdyX
Description: This is a digitally signed message part.