User: Password:
|
|
Subscribe / Log in / New account

improving downloader packages (was: Re: holes in secure apt)

From:  Thijs Kinkhorst <thijs-AT-debian.org>
To:  debian-devel-AT-lists.debian.org
Subject:  improving downloader packages (was: Re: holes in secure apt)
Date:  Thu, 12 Jun 2014 19:31:14 +0200
Message-ID:  <201406121931.14779.thijs@debian.org>
Archive-link:  Article

Hi Chris,

You raise a lot of broad concerns under the header "holes in secure apt" which 
I'm afraid does not much to get us closer to a more secure Debian. Not many 
people will object that making Debian even more secure is a bad idea; it just 
needs concrete action, not a large list of potential areas to work on.

I suggest that you focus on one of those aspects of your email and take some 
concrete action to get it addressed. For example this part:

Op donderdag 12 juni 2014 17:36:23 schreef Christoph Anton Mitterer:
> We have a number of packages which circumvent the package management
> system by downloading "normal" files (think of HTML files as downloaded
> by the susv[2,3,4] packages) or even code (like torbrowser-launcher).

> I think there should be some clear policy on how packages are allowed to
> pull in external code/files and install them to the system:
> 
> - How packages are technically allowed to pull in external code, I think
> verifications should be mandatory and IMHO that verification should be

I think a better way than to create such a policy would be to create a simple 
framework that does in-package downloading "right" and that downloader 
packages can depend on and call from their scripts (a bit like dbconfig-
common). An existing technical solution will probably be more quickly adopted 
by the various packages than a set of requirements, and improvements need to 
be made in only one place.

If you create something like that I'd gladly use it in the downloader package 
I maintain (msttcorefonts - which does check hashes of downloaded stuff, btw) 
and I'm willing to spend time with you on the integration and to see what may 
be required or missing for my package to use it. If we show that it works for 
this package, others will surely follow. You just need to take the first step.


Cheers,
Thijs


(Log in to post comments)


Copyright © 2014, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds