Package: googleearth-package
Severity: important

Hi.

I'm currently looking at Debian packages which download and install files from the internet (as their main content) whether they check the validity of these files.

Although this package does not directly install anything but just creating a package,.... installing this package is still that what nearly any user actually wants to do.
That's why I've marked this as important, and not just wishlist.

May I suggest the following:
1) Ship SHA512 sums of the downloaded contend with your package (perhaps after you make some (at least rudimentary) checks for malicious contents).
This should of course match the specific google-earch version

2) Check whether this matches with the sums of the downloaded files.

3) In case of mismatches, the user should at least be warned that this is probably a security issue. Even better... package create should fail in this case,.. and only using a special parameter to make-googleearth-package should allow package creation (e.g. --ignore-hashsum-mismatch or so)


Thanks and best wishes,
Chris.


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-heisenberg (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.




--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to