Re: Bug#405997: should executables be permitted to update themselves?

["Michael Gilbert" <michael.s.gilbert@gmail.com>]

On Jan 14, 1:10 pm, "Shaun Jackman" wrote:
> On a stable Debian system, system-wide upgrades can be far between. I
> prefer to give the user a choice of whether to use the update system
> provided by the upstream author to update the software before the next
> stable release of Debian.

like i said originally, my primary concern is security (although
dfsg-ness and the issues described by others in this thread are quite
important as well).  allowing azureus to go out and get its own
executable subjects the user to potentially malicious code that
otherwise would not be there.  two things could happen -- the upstream
jar could introduce new unfixed flaws and/or vulnerabilities that are
being exploited, or a man-in-the-middle could replace the upstream jar
with his own malicious jar.  apt uses signed packages to prevent the
man-in-the middle and debian's security team makes sure that all
security flaws are addressed.

i believe that the solution is to completely disable the update
feature.  if the user wants to run the latest azureus on stable, they
can use apt-pinning [1] to install the package from sid.  how to do
this can be either added to the azureus documentation or to a
notification thats dropped into the gnome notification area when
azureus is run.

thank you for the constructive conversation.

mike

[1] http://www.debian.org/doc/manuals/apt-howto/ch-apt-get.en.html