-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tom Feiner schrieb:
> Hi Patrik,
>
> Thanks for the quick reply!
>
> I guess I should have explained a bit more. Of course you are right, simply
> checking hashsums provided by upstream won't help.
>
> What can help is if upstream releases a public key which is included in the
> debian package in advance, and sign their binaries with it so we can validate
> that binaries are actually from them. However, this still leaves upstream in
> control of the resulting binaries, and it basically says that debian trusts
> them completely which is not the case here. (This issue was also raised in bug
> http://bugs.debian.org/545241).
>
> So the only safe solution I can see is simply offering frequent updates for
> the geoip-database package, which is compiled from source using the usual
> debian development and updating process. AFAICS, This eliminates the problem,
> but I'm not sure if there's a good way to do it (especially for
> stable/oldstable releases on an ongoing basis).
>
> Regards,
> Tom Feiner
>
Upstream isn't very cooperative, see the last discussion on debian-devel.
Now I have reached the level, that I am able to produce patches and
package newer versions of the library (with the result of this discussion).
The main goal of those scripts is, that users who run {old}stable could
simply update their databases if they need the precision.
- --
/*
Mit freundlichem Gruß / With kind regards,
Patrick Matthäi
GNU/Linux Debian Developer
E-Mail: [email protected]
[email protected]
Comment:
Always if we think we are right,
we were maybe wrong.
*/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkqxJNMACgkQ2XA5inpabMcmkwCfSee1toP6lPDOCzsMGlVVXZ30
8rgAn1mGvaHZNAAdnT628jM7IURfjzEo
=XB2W
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
