Hi.
Just looked over it again...
How do you actuallly do you check?
I've seen that you include a OpenPGP key, and it seems that you're
this is from some Adobe employee and the md5.txt is also from them?
SO in this case I'd still consider this security critical, because now
"we" (Debian) fully trusts what this Adobe Guy says,...
This one might get fired, or evil, or he might simply have no idea on
using public keys.
So I'd suggest, that _you_ maintain these hashes and thus put the
control over hashes in debian's hands.
Of course it would be a good idea if _you_ us his _key+hashsum_ to
verify the file/sums you use.
Of course this has the disadvantage, that you have to release a new
package every time a new flashplugin gets out, but the advantage that
thus users are better informed on security updates (which happen to be
quite often with flash ;) ).
Of course allthis also gives us only a somewhat better security,..
flash is still closed source,.. nobody knows what it actually does,...
and its quite known for being one of the biggest security holes out
there.
Anyway,.. I think putting the "control" here in Debian's hand would be better.
Regards,
Chris.
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
