On Sun, Jan 14, 2007 at 07:51:22PM -0000, Michael Gilbert wrote: > On Jan 14, 1:10 pm, "Shaun Jackman" wrote: > > On a stable Debian system, system-wide upgrades can be far between. I > > prefer to give the user a choice of whether to use the update system > > provided by the upstream author to update the software before the next > > stable release of Debian. > > like i said originally, my primary concern is security (although > dfsg-ness and the issues described by others in this thread are quite > important as well). allowing azureus to go out and get its own > executable subjects the user to potentially malicious code that > otherwise would not be there. two things could happen -- the upstream > jar could introduce new unfixed flaws and/or vulnerabilities that are > being exploited, or a man-in-the-middle could replace the upstream jar > with his own malicious jar. apt uses signed packages to prevent the > man-in-the middle and debian's security team makes sure that all > security flaws are addressed. > For info, should a security update be issued, it will updtae the files in /usr. How would this affect files in ~/azureus? I'm not sure we'll be able to provide good security support if other random things are downloaded. Neil -- <gwolf> bah.... Germans. You just put 100 DDs in one country and then they all become friends of each other.
Attachment:
signature.asc
Description: Digital signature