Bug#953722: ITP: josm-installer -- Editor for OpenStreetMap (installer)

To: Christoph Anton Mitterer <calestyo@scientia.net>, 953722@bugs.debian.org
Subject: Bug#953722: ITP: josm-installer -- Editor for OpenStreetMap (installer)
From: Sebastiaan Couwenberg <sebastic@xs4all.nl>
Date: Fri, 10 Apr 2020 06:42:45 +0200
Message-id: <[🔎] aec66136-7371-cf12-64fa-35b87e3c5c82@xs4all.nl>
Reply-to: Sebastiaan Couwenberg <sebastic@xs4all.nl>, 953722@bugs.debian.org
In-reply-to: <[🔎] 11bf3efacdd7abc4434f2b0345bb83e1d3daf2a4.camel@scientia.net>
References: <158401749809.3030644.14939655277765881142.reportbug@osiris.linuxminded.xs4all.nl> <[🔎] 8ea81294b15877a6a943f979b1b07538a26ef742.camel@scientia.net> <[🔎] e8cf5aa6-4ec5-6a8f-118e-a538528ae165@xs4all.nl> <158401749809.3030644.14939655277765881142.reportbug@osiris.linuxminded.xs4all.nl> <[🔎] 11bf3efacdd7abc4434f2b0345bb83e1d3daf2a4.camel@scientia.net> <158401749809.3030644.14939655277765881142.reportbug@osiris.linuxminded.xs4all.nl>

On 4/10/20 6:20 AM, Christoph Anton Mitterer wrote:
> On Thu, 2020-04-09 at 05:45 +0200, Sebastiaan Couwenberg wrote:
>> On 4/9/20 4:37 AM, Christoph Anton Mitterer wrote:
>> It's no different from users downloading the JAR themselves, the
>> package
>> just integrates it in the desktop environment and schedules periodic
>> downloads.
> 
> FYI:
> I've just had a short glance on the downloader and it seems it does no
> verification at all...

The JRE verifies the JAR signature.

> The only protection is https, which, given how the TLS-CA-ecosystem
> works is mostly identical to no protection (there are around 150 root
> CAs in the usual bundles, many of them highly questionable from
> totalitarian countries or that have been caught already several times
> in "accidentally" forging certs... and there are probably thousands of
> intermediate CAs... all which can basically sign for everything).

Upstream doesn't provide asc/md5/sha signatures like Maven does, I did
ask for them but upstream considers the JAR signature sufficient.

> I think there should be perhaps a big fat warning about this in the
> package, or eve better, some hardcoded hashsums of the jar, which is
> then verified upon download.

I looked into how flashplugin-nonfree was implemented, but that's not
something to adopt for josm-installer, I don't have the bandwidth for that.

josm-installer is already in contrib, that's warning enough. The package
name implies that it doesn't provide the executable itself, any user who
like you is uncomfortable by that can stay clear of it. If we'll have to
remove the josm package in the future because it becomes impossible to
keep for some reason, the josm-package will remain for users who don't
share your concern, e.g. because they already download the JAR from the
JOSM project themselves and appreciate the improved integration. Users
who consider an installer unacceptable will have to find another way to
keep using JOSM on their Debian systems.

Kind Regards,

Bas

-- 
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1

Reply to:

References:
- Bug#953722: ITP: josm-installer -- Editor for OpenStreetMap (installer)
  - From: Christoph Anton Mitterer <calestyo@scientia.net>
- Bug#953722: ITP: josm-installer -- Editor for OpenStreetMap (installer)
  - From: Sebastiaan Couwenberg <sebastic@xs4all.nl>
- Bug#953722: ITP: josm-installer -- Editor for OpenStreetMap (installer)
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

Prev by Date: Bug#953722: ITP: josm-installer -- Editor for OpenStreetMap (installer)
Next by Date: Bug#956340: ITP: golang-github-scylladb-termtables -- Fork of github.com/apcera/termtables
Previous by thread: Bug#953722: ITP: josm-installer -- Editor for OpenStreetMap (installer)
Next by thread: Bug#956261: ITP: node-ip-address -- library for parsing IPv4 and IPv6 IP addresses in node and the browser
Index(es):
- Date
- Thread