Patrick Matthäi wrote: > Upstream isn't very cooperative, see the last discussion on debian-devel. > > Now I have reached the level, that I am able to produce patches and > package newer versions of the library (with the result of this discussion).
This is great, now that the database format was reverse engineered, the geoip-database package provides a trusted binary as the community has the source, the build script, and we're the ones producing the GeoIP binary and distributing it. > > The main goal of those scripts is, that users who run {old}stable could > simply update their databases if they need the precision. > The problem I see with these update scripts is that they throw us back to using possibly unsafe, pre-built upstream database and leaves users machines to attack. Is it practical to release a new geoip-database package once a month following the update from upstream? (Or at least every 3-4 months)? I guess we can set it up in the watch file / using the HTTP last modified header to keep track and package new versions. This will allow users to rely on the usual debian update mechanisms, without compromising their security. Thanks for considering this, Tom Feiner
signature.asc
Description: OpenPGP digital signature