On Sat, 18 Feb 2012 11:48:27 +0100 Thomas Koch <tho...@koch.ro> wrote:
> I think as a start it should be made a policy that any "wrapper" package that > downloads code from the net must at least do a strong checksum check on the > downloaded code. Not possible to enforce as a 'MUST' because, by definition, third-party websites will not provide checksums for every possible download mechanism. Only a should is possible here - wherever a checksum can be verified independently, but even then, an unreliable upstream checksum method is better ignored than supported. > What about a debhelper script that receives an URL (or set of mirror URLs) > and > a SHA1 and does the download and check? Do you mean dget? If it's mirror URL's, most of the time you can use apt. If it's mirrors, fine. Anything downloaded from a site which is not part of *.debian.org or a mirror of *.debian.org cannot be expected to provide useful checksums. -- Neil Williams ============= http://www.linux.codehelp.co.uk/
pgpHgJMd2RLfl.pgp
Description: PGP signature
