On Sat, 18 Feb 2012, Neil Williams wrote: > On Sat, 18 Feb 2012 16:25:20 +0200 > Christoph Anton Mitterer <cales...@scientia.net> wrote: > > Am 18.02.2012 14:40, schrieb Neil Williams: > > >> I think as a start it should be made a policy that any "wrapper" > > >> package that > > >> downloads code from the net must at least do a strong checksum check > > >> on the > > >> downloaded code. > > > Not possible to enforce as a 'MUST' because, by definition, > > > third-party > > > websites will not provide checksums for every possible download > > > mechanism. > > > > Well it's still possible then,... the maintainer can just calculate > > sums on his own. > > Against what? The source is only downloaded from upstream once per > upstream release, what is there to check against?
Upstream VCS, previous releases (when the diff is small enough), request that upstream publish in an email message the sha1sum or sha256sum when they announce a new release, etc. How much it will protect Debian users, depends entirely where the trojan instertion point was. So far, the more common insertion points have NOT been upstream's development box, but rather the public distribution points and vcs trees. Heck, even for dead upstream you still get the stuff from the other distros to compare Debian's with, even if you did it only to check for interesting patches from other distros, it would still increase the chances of you noticing something is weird. And it is part of the job of a downstream maintainer to educate upstream when necessary, even if it takes a lot of diplomacy and a lot of effort. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120218184237.gh20...@khazad-dum.debian.net
