Hey. > The package will be maintained with in the Debian GIS team where > it will eventually replace the josm package.
I'm afraid but this is a really unfortunate idea. Downloader packages - and that's what this is - are generally a bad idea. They circumvent package management, any tools building upon package management (from simply things like apt-listchanges to advanced things like Icinga/Nagios checks for package upgrades) and any reasonable security support. I know only few such downloader tools which do it really right, i.e. in a secure way. Just checking for some signatures isn't typically enough, as it allows for things like downgrade attacks. Some downloader tools even use the upstream keys for verification, which may sound good at a first glance, but would effectively allow an hostile (or hacked) upstream to selectively send hacked versions of the code/binaries to selected users only (thereby making it even much harder to ever detect, as when *all* users would have to bee Security wise (and generally), it's probably safest to hardcode the valid hashsums for the downloaded files within the downloader package and really upgrade the package everytime a new version of code/binaries comes out. This would not mean a general circumvention of the distributions package management tool. I personally can only think of very few cases, where a downloader package is justified (like when legal reasons prevent shipping something, e.g. as with ttf-mscorefonts-installer). For most other things one should wonder whether its not better to simply drop a package from the distro if it cannot be actually maintained within that distro. After all, Linux isn't the Windows world, where each and every software brings it's own (often crappy) installers, and where this causes gazillions of problems and security issues. Cheers, Chris.
