Patrick Matthäi wrote: > Upstream isn't very cooperative, see the last discussion on debian-devel. > > Now I have reached the level, that I am able to produce patches and > package newer versions of the library (with the result of this discussion).
This is great, now that the database format was reverse engineered, the
geoip-database package provides a trusted binary as the community has the
source, the build script, and we're the ones producing the GeoIP binary and
distributing it.
>
> The main goal of those scripts is, that users who run {old}stable could
> simply update their databases if they need the precision.
>
The problem I see with these update scripts is that they throw us back to
using possibly unsafe, pre-built upstream database and leaves users machines
to attack.
Is it practical to release a new geoip-database package once a month following
the update from upstream? (Or at least every 3-4 months)? I guess we can set
it up in the watch file / using the HTTP last modified header to keep track
and package new versions. This will allow users to rely on the usual debian
update mechanisms, without compromising their security.
Thanks for considering this,
Tom Feiner
signature.asc
Description: OpenPGP digital signature
