On Thu, 9 Apr 2020 12:37:03 +0200, Markus Koschany <a...@debian.org> wrote: > Am 09.04.20 um 11:36 schrieb Ivo De Decker: > > It seems runescape downloads a binary and runs it, without verifying its > > integrity. At least the download happens using https, but no other > > verification is done. > > Could you quote the relevant part of Debian Policy, that requires > verification (and what kind of verification) of downloaded files. Is > downloading of verified orig tarballs now a requirement or is it still > just sufficient to download the tarball and verify its integrity by hand?
This is a bit different: runescape downloads a binary the first time it’s run by any given user, so each user can potentially get a different binary. Checking orig tarballs (whether using a signing key or manually) produces a result which remains the same for all users... Regards, Stephen
pgppUBzIp4quS.pgp
Description: OpenPGP digital signature
