Hi,
Patrick Matthäi wrote:
> Hmpf I have got an NACK for my plan from DSA. :<
How about using debian volatile [0] in order to build geoip-database and
distribute it. This will solve all of the above problems mentioned in this bug:
* Users will be able to get newer trusted (debian built) version
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Tom Feiner schrieb:
> Hi,
>
> Patrick Matthäi wrote:
>> Hmpf I have got an NACK for my plan from DSA. :<
>
> How about using debian volatile [0] in order to build geoip-database and
> distribute it. This will solve all of the above problems mentioned
Patrick Matthäi wrote:
> At the moment they just have to use backports.org, but I think I will
> leave the scripts as they are, they are optional.
backports.org sounds fine, the important part here is to find users a secure
and reliable way to get new geoip-database packages. If we can do that on
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Tom Feiner schrieb:
> Hi Patrick,
>
> Thanks for considering this again :)
>
> Your plan sound very much like the way the flashplugin-nonfree
> maintainers operate. The only difference is that as flash is indeed
> non-free, they don't have the source
Patrick Matthäi wrote:
> Upstream isn't very cooperative, see the last discussion on debian-devel.
>
> Now I have reached the level, that I am able to produce patches and
> package newer versions of the library (with the result of this discussion).
This is great, now that the database format was
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Tom Feiner schrieb:
> Hi Patrik,
>
> Thanks for the quick reply!
>
> I guess I should have explained a bit more. Of course you are right, simply
> checking hashsums provided by upstream won't help.
>
> What can help is if upstream releases a public
Hi Patrik,
Thanks for the quick reply!
I guess I should have explained a bit more. Of course you are right, simply
checking hashsums provided by upstream won't help.
What can help is if upstream releases a public key which is included in the
debian package in advance, and sign their binaries wit
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Tom Feiner schrieb:
> Package: libgeoip1
> Version: 1.4.6.dfsg-12
> Severity: normal
>
> Hi,
>
> The example GeoIP database update scripts, located at
> /usr/share/doc/libgeoip1/examples/*.sh update the binary GeoIP databases
> from a potentially uns
Package: libgeoip1
Version: 1.4.6.dfsg-12
Severity: normal
Hi,
The example GeoIP database update scripts, located at
/usr/share/doc/libgeoip1/examples/*.sh update the binary GeoIP databases
from a potentially unsafe source, without validating the downloaded
content, making it vulnerable at least
9 matches
Mail list logo
