[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: jessie release goals

Christoph Anton Mitterer wrote:
> 2) No more packages that bypass the package management system and secure
> apt:
> a) There are still several (typically non-free) packages which download
> stuff from the web, install or at least un-tar it somwhere without
> checking any integrity information that would be hardcoded in that
> package.

There's nothing stopping you filing a release critical bug
against any package that does this. I do it whenever I notice
something doing that. It's a security hole, plain and simple,
and while in the broader world   curl http://insecure.example.org/ | sh
is distressingly common, there's no reason to allow such things
in Debian.

(Last I checked, flashplugin-nonfree verified the integrity of its
downloads in a secure way.)

see shy jo

Attachment: signature.asc
Description: Digital signature

Reply to: