On 02/18/2012 08:40 PM, Neil Williams wrote: > On Sat, 18 Feb 2012 11:48:27 +0100 > Thomas Koch <tho...@koch.ro> wrote: > > >> I think as a start it should be made a policy that any "wrapper" package >> that >> downloads code from the net must at least do a strong checksum check on the >> downloaded code. >> > Not possible to enforce as a 'MUST' because, by definition, third-party > websites will not provide checksums for every possible download > mechanism. >
We're trying to mitigate risks of a man-in-the-middle attack here. Not to authenticate a content, which is the job of the maintainer. We want to check that the file is the same one as the one the maintainer downloaded. Which means that if there isn't a checksum on the third-party website, a maintainer can just run sha512sum and save the checksum in his download script (or next to it) by himself for later runtime check. So yes, a MUST can happen, IMO. Thomas -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4f3fea8b.50...@debian.org
