On Thu, 2020-04-09 at 05:45 +0200, Sebastiaan Couwenberg wrote: > On 4/9/20 4:37 AM, Christoph Anton Mitterer wrote: > > > The package will be maintained with in the Debian GIS team where > > > it will eventually replace the josm package. > > > > I'm afraid but this is a really unfortunate idea. > > Don't be: > > https://lists.debian.org/debian-gis/2020/04/msg00000.html
Ah, so AFAIU josm is not intended to be kept... that's good news. Thanks for your effort :-) > It's no different from users downloading the JAR themselves, the > package > just integrates it in the desktop environment and schedules periodic > downloads. FYI: I've just had a short glance on the downloader and it seems it does no verification at all... The only protection is https, which, given how the TLS-CA-ecosystem works is mostly identical to no protection (there are around 150 root CAs in the usual bundles, many of them highly questionable from totalitarian countries or that have been caught already several times in "accidentally" forging certs... and there are probably thousands of intermediate CAs... all which can basically sign for everything). I think there should be perhaps a big fat warning about this in the package, or eve better, some hardcoded hashsums of the jar, which is then verified upon download. Cheers, Chris.
