On Jan 14, 1:10 pm, "Shaun Jackman" wrote: > On a stable Debian system, system-wide upgrades can be far between. I > prefer to give the user a choice of whether to use the update system > provided by the upstream author to update the software before the next > stable release of Debian.
like i said originally, my primary concern is security (although dfsg-ness and the issues described by others in this thread are quite important as well). allowing azureus to go out and get its own executable subjects the user to potentially malicious code that otherwise would not be there. two things could happen -- the upstream jar could introduce new unfixed flaws and/or vulnerabilities that are being exploited, or a man-in-the-middle could replace the upstream jar with his own malicious jar. apt uses signed packages to prevent the man-in-the middle and debian's security team makes sure that all security flaws are addressed. i believe that the solution is to completely disable the update feature. if the user wants to run the latest azureus on stable, they can use apt-pinning [1] to install the package from sid. how to do this can be either added to the azureus documentation or to a notification thats dropped into the gnome notification area when azureus is run. thank you for the constructive conversation. mike [1] http://www.debian.org/doc/manuals/apt-howto/ch-apt-get.en.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
