Control: tags -1 moreinfo Am 09.04.20 um 11:36 schrieb Ivo De Decker: > package: runescape > severity: serious > > Hi, > > It seems runescape downloads a binary and runs it, without verifying its > integrity. At least the download happens using https, but no other > verification is done.
Could you quote the relevant part of Debian Policy, that requires verification (and what kind of verification) of downloaded files. Is downloading of verified orig tarballs now a requirement or is it still just sufficient to download the tarball and verify its integrity by hand? Markus Koschany
signature.asc
Description: OpenPGP digital signature