On Thu, Apr 06, 2017 at 11:17:26AM +0530, Pirate Praveen wrote: > Sharing with wider debian community, hoping to get some support. I'm afraid I cannot give my support to this. I'm not involved with release management, so this is just one rando developer's opinion. > Current version in unstable does not have any RC bugs Possibly it should. Looking at https://sources.debian.net/src/diaspora-installer/0.6.3.0%2Bdebian4/diaspora-download.sh/ If I read that code correctly, it downloads code from github, and installs it. There is no verification step that the downloaded content is valid and hasn't been substituted by an attacker. This seems to me unfit for a Debian stable release. I would expect the package to check the checksum of the downloaded tarball, or similar mechanism. -- I want to build worthwhile things that might last. --joeyh
Attachment:
signature.asc
Description: PGP signature