Hi Patrik, Thanks for the quick reply!
I guess I should have explained a bit more. Of course you are right, simply checking hashsums provided by upstream won't help. What can help is if upstream releases a public key which is included in the debian package in advance, and sign their binaries with it so we can validate that binaries are actually from them. However, this still leaves upstream in control of the resulting binaries, and it basically says that debian trusts them completely which is not the case here. (This issue was also raised in bug http://bugs.debian.org/545241). So the only safe solution I can see is simply offering frequent updates for the geoip-database package, which is compiled from source using the usual debian development and updating process. AFAICS, This eliminates the problem, but I'm not sure if there's a good way to do it (especially for stable/oldstable releases on an ongoing basis). Regards, Tom Feiner
signature.asc
Description: OpenPGP digital signature
