Thats absolutely ridiculous. I would file one at once, that should definitely not go unchecked, at least. I can appreciate the motivation, but for my own sanity I'm too paranoid to a) accept strange unknown files/connections or b) send out requests for such data. Especially considering since it all happens without my knowledge, which thanks, now I know. Who knows if the file is the original? The checksum is verified, but that doesn't mean much all things considered, where did the checksum come from? On 08 Jan 2003 22:54:12 +0100 Sebastien Chaumat <schaumat@debian.org> wrote: > Hi, > > This a real example : > > The xbill package contains : /usr/share/gnome/help/xbill/C/xbill.xml > > In this file the DTD is refered by an absolute external link : > > <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" > "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"; > > Thus : scrollkeeper-update blindly connect to www.oasis-open.org to get > the docbookx.dtd. > > I can trust signed debian packages but I can't trust > www.oasis-open.org. > > More than 18 files in /usr/share/gnome/help/ induce this download. > > I'am about to make bug report against scrollkeeper (for acting blindly, > and dowloading the same file more than once) and against packages that > provides the xml files (for using external DTD instead of provinding > it)... > > Your opinion? > > Cheers, > > SEb > > > > > > > > -- > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org >
Attachment:
pgp6BDk2Jmluh.pgp
Description: PGP signature