Am 18.02.2012 14:40, schrieb Neil Williams:
I think as a start it should be made a policy that any "wrapper"
package that
downloads code from the net must at least do a strong checksum check
on the
downloaded code.
Not possible to enforce as a 'MUST' because, by definition,
third-party
websites will not provide checksums for every possible download
mechanism.
Well it's still possible then,... the maintainer can just calculate
sums on his own.
Of course this does not mean things are secure (the maintainer could
already use a forged version)... but at least it helps again single MITM
attacks.
Cheers,
Chris.
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/0a9d69dc96c647151114bca2d8ebb...@scientia.net
