Patrick Matthäi wrote:
At the moment they just have to use backports.org, but I think I will
leave the scripts as they are, they are optional.
backports.org sounds fine, the important part here is to find users a secure
and reliable way to get new geoip-database packages. If we can do that on a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Tom Feiner schrieb:
Hi,
Patrick Matthäi wrote:
Hmpf I have got an NACK for my plan from DSA. :
How about using debian volatile [0] in order to build geoip-database and
distribute it. This will solve all of the above problems mentioned in this
Hi,
Patrick Matthäi wrote:
Hmpf I have got an NACK for my plan from DSA. :
How about using debian volatile [0] in order to build geoip-database and
distribute it. This will solve all of the above problems mentioned in this bug:
* Users will be able to get newer trusted (debian built) version
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Tom Feiner schrieb:
Hi Patrick,
Thanks for considering this again :)
Your plan sound very much like the way the flashplugin-nonfree
maintainers operate. The only difference is that as flash is indeed
non-free, they don't have the source, so
Package: libgeoip1
Version: 1.4.6.dfsg-12
Severity: normal
Hi,
The example GeoIP database update scripts, located at
/usr/share/doc/libgeoip1/examples/*.sh update the binary GeoIP databases
from a potentially unsafe source, without validating the downloaded
content, making it vulnerable at least
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Tom Feiner schrieb:
Package: libgeoip1
Version: 1.4.6.dfsg-12
Severity: normal
Hi,
The example GeoIP database update scripts, located at
/usr/share/doc/libgeoip1/examples/*.sh update the binary GeoIP databases
from a potentially unsafe
Hi Patrik,
Thanks for the quick reply!
I guess I should have explained a bit more. Of course you are right, simply
checking hashsums provided by upstream won't help.
What can help is if upstream releases a public key which is included in the
debian package in advance, and sign their binaries
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Tom Feiner schrieb:
Hi Patrik,
Thanks for the quick reply!
I guess I should have explained a bit more. Of course you are right, simply
checking hashsums provided by upstream won't help.
What can help is if upstream releases a public key
Patrick Matthäi wrote:
Upstream isn't very cooperative, see the last discussion on debian-devel.
Now I have reached the level, that I am able to produce patches and
package newer versions of the library (with the result of this discussion).
This is great, now that the database format was
9 matches
Mail list logo
