[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#953722: ITP: josm-installer -- Editor for OpenStreetMap (installer)



Hey.

> The package will be maintained with in the Debian GIS team where
> it will eventually replace the josm package.

I'm afraid but this is a really unfortunate idea.


Downloader packages - and that's what this is - are generally a bad
idea.

They circumvent package management, any tools building upon package
management (from simply things like apt-listchanges to advanced things
like Icinga/Nagios checks for package upgrades) and any reasonable
security support.

I know only few such downloader tools which do it really right, i.e. in
a secure way.
Just checking for some signatures isn't typically enough, as it allows
for things like downgrade attacks.

Some downloader tools even use the upstream keys for verification,
which may sound good at a first glance, but would effectively allow an
hostile (or hacked) upstream to selectively send hacked versions of the
code/binaries to selected users only (thereby making it even much
harder to ever detect, as when *all* users would have to bee


Security wise (and generally), it's probably safest to hardcode the
valid hashsums for the downloaded files within the downloader package
and really upgrade the package everytime a new version of code/binaries
comes out.
This would not mean a general circumvention of the distributions
package management tool.


I personally can only think of very few cases, where a downloader
package is justified (like when legal reasons prevent shipping
something, e.g. as with ttf-mscorefonts-installer).
For most other things one should wonder whether its not better to
simply drop a package from the distro if it cannot be actually
maintained within that distro.

After all, Linux isn't the Windows world, where each and every software
brings it's own (often crappy) installers, and where this causes
gazillions of problems and security issues.


Cheers,
Chris.


Reply to: