Christoph Anton Mitterer wrote: > 2) No more packages that bypass the package management system and secure > apt: > a) There are still several (typically non-free) packages which download > stuff from the web, install or at least un-tar it somwhere without > checking any integrity information that would be hardcoded in that > package. There's nothing stopping you filing a release critical bug against any package that does this. I do it whenever I notice something doing that. It's a security hole, plain and simple, and while in the broader world curl http://insecure.example.org/ | sh is distressingly common, there's no reason to allow such things in Debian. (Last I checked, flashplugin-nonfree verified the integrity of its downloads in a secure way.) -- see shy jo
Attachment:
signature.asc
Description: Digital signature