On Thu, 17 Sep 2009 21:26:38 +0200 Christoph Anton Mitterer wrote: > Hi. > > Some time ago, I've wrote several bug reports to packages, that download > files from some non-apt-secured sources of the web, and install them.
i also started a similar discussion a while back, which was met with mixed opinion [0]. i tried to lay out the full spectrum of issues related to this problem, but many just focused on the non-free aspect. no consensus was reached. checksums are a good start, but if the data itself is non-free (or closed or obscured), then how can you be sure it is not malicious? i think it is a matter of trust, and maybe the key would be that scripts should only accept the external data if it is signed and hashed by an authenticated DD's gpg key. mike [0] http://lists.debian.org/debian-devel/2009/02/msg00461.html -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
