Am 09.04.20 um 13:24 schrieb Stephen Kitt: > On Thu, 9 Apr 2020 12:37:03 +0200, Markus Koschany <a...@debian.org> wrote: >> Am 09.04.20 um 11:36 schrieb Ivo De Decker: >>> It seems runescape downloads a binary and runs it, without verifying its >>> integrity. At least the download happens using https, but no other >>> verification is done. >> >> Could you quote the relevant part of Debian Policy, that requires >> verification (and what kind of verification) of downloaded files. Is >> downloading of verified orig tarballs now a requirement or is it still >> just sufficient to download the tarball and verify its integrity by hand? > > This is a bit different: runescape downloads a binary the first time it’s > run by any given user, so each user can potentially get a different binary. > Checking orig tarballs (whether using a signing key or manually) produces a > result which remains the same for all users...
How is this any different? It is possible that tarballs from github.com differ each time a user is downloading them, but we don't require verification. Where is this documented in Debian Policy as a "must" requirement? Note that we are talking about a non-free game here. The user has to trust the publisher and there is nothing Debian can do about it. We only provide a simple helper script to download the binary, which is done about a secure transport channel. This is just a little more convenient than to download it directly with your favorite web browser.
signature.asc
Description: OpenPGP digital signature