Bug#953722: ITP: josm-installer -- Editor for OpenStreetMap (installer)
On Thu, 2020-04-09 at 05:45 +0200, Sebastiaan Couwenberg wrote:
> On 4/9/20 4:37 AM, Christoph Anton Mitterer wrote:
> > > The package will be maintained with in the Debian GIS team where
> > > it will eventually replace the josm package.
> >
> > I'm afraid but this is a really unfortunate idea.
>
> Don't be:
>
> https://lists.debian.org/debian-gis/2020/04/msg00000.html
Ah, so AFAIU josm is not intended to be kept... that's good news.
Thanks for your effort :-)
> It's no different from users downloading the JAR themselves, the
> package
> just integrates it in the desktop environment and schedules periodic
> downloads.
FYI:
I've just had a short glance on the downloader and it seems it does no
verification at all...
The only protection is https, which, given how the TLS-CA-ecosystem
works is mostly identical to no protection (there are around 150 root
CAs in the usual bundles, many of them highly questionable from
totalitarian countries or that have been caught already several times
in "accidentally" forging certs... and there are probably thousands of
intermediate CAs... all which can basically sign for everything).
I think there should be perhaps a big fat warning about this in the
package, or eve better, some hardcoded hashsums of the jar, which is
then verified upon download.
Cheers,
Chris.
Reply to: