Le 09/04/2020 13:44, Markus Koschany a écrit :
Am 09.04.20 um 13:24 schrieb Stephen Kitt:
On Thu, 9 Apr 2020 12:37:03 +0200, Markus Koschany <a...@debian.org>
wrote:
Am 09.04.20 um 11:36 schrieb Ivo De Decker:
It seems runescape downloads a binary and runs it, without verifying
its
integrity. At least the download happens using https, but no other
verification is done.
Could you quote the relevant part of Debian Policy, that requires
verification (and what kind of verification) of downloaded files. Is
downloading of verified orig tarballs now a requirement or is it
still
just sufficient to download the tarball and verify its integrity by
hand?
This is a bit different: runescape downloads a binary the first time
it’s
run by any given user, so each user can potentially get a different
binary.
Checking orig tarballs (whether using a signing key or manually)
produces a
result which remains the same for all users...
How is this any different? It is possible that tarballs from github.com
differ each time a user is downloading them, but we don't require
verification. Where is this documented in Debian Policy as a "must"
requirement?
Installing a Debian package doesn’t involve downloading a tarball from
github.com or anywhere else. A packager downloads the tarball, vets it
in some way or other (hopefully), and then uploads it to Debian
infrastructure, where it is used to build the binary packages which
users eventually download. After the initial upload, the contents don’t
change, unless a new version is uploaded.
Put another way, when you install a Debian package, you get the exact
same contents as any other user installing the same version of the
package, and thus a certain amount of collective trust can be built.
This isn’t necessarily the case with the runescape package.
Note that we are talking about a non-free game here. The user has to
trust the publisher and there is nothing Debian can do about it. We
only
provide a simple helper script to download the binary, which is done
about a secure transport channel. This is just a little more convenient
than to download it directly with your favorite web browser.
Oh I know, we can’t do anything about trusting the publisher. The main
issue is that if for whatever reason a compromised JAR is put in place
on the upstream site, the runescape package will download it and run it
without any warning. Even the TLS protection doesn’t do much since the
download script doesn’t check the upstream certificate (so the site
could be hijacked and it would still work).
Consider it this way: the packager will presumably check the package
before upload, and we can consider the JAR at that point to be
trustworthy (for some value of trustworthy). But there is absolutely no
guarantee that the JAR which users will receive bears any resemblance to
the JAR checked by the packager.
Regards,
Stephen
