[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#687624: ITP: libdvdcss-pkg -- automated installer for libdvdcss

Hi Dmitry,

Le vendredi, 14 septembre 2012 13.19:43, Dmitry Smirnov a écrit :
>    Package name: libdvdcss-pkg

Surprising package.

>  * Installer is implemented as shell script installed as DPKG post-invoke
>    handler.
>  * Host package version meant to me an exact match of guest package
>    with debian/watch file inherited from guest package for notifications
>    about new upstream versions.

uscan does absolutely no checking of the resulting tarball so this is 
sensitive to DNS MITM (at least). IMHO having a tighter connection between 
this libdvdcss-pkg and the upstream tarballs hashsums would be a good idea: 
you would need to upload a new version of libdvdcss-pkg for each new version 
of libdvdcss to tighten the trust chain.



Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: