Around 200 packages [0] include upstream scripts that download code via
(non-secure) http, then run it without an integrity check.
This is obviously a security hole (network MITM => code execution), but
not necessarily one that is opened by normal use of the package. (E.g.
fetch-dependencies-and-build scripts can't download anything on a Debian
buildd, though it would still make sense to report them to upstream.)
Some instances of this (i.e. where the download origin offers it) are
trivially improvable by replacing http with https.
How should this be dealt with?
- Mass report?
- As BTS bugs (i.e. public) or private email?
- (imperfect) Lintian check based on [0]?
- If one is fixed, should it also be fixed in stable? (Probably depends
on how likely the script is to be used from the package)
Previous discussions that I can find [1-2] reached no clear conclusion,
possibly because there were other issues involved (the trustworthiness
of the downloads' intended origin, and whether downloaders had to be in
contrib).
[0] codesearch (wget|curl).*http://[^ ]*/[^
]*\.(pl|sh|py|gz|xz|bz2|zip)($|[^a-z]) matches 368 packages, but not all
of them are actual security problems
[1] https://lists.debian.org/debian-security/2012/12/msg00030.html
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=449497