Bug#956276: runescape: downloads unverified binary and runs it
Markus Koschany
apo at debian.org
Thu Apr 9 11:37:03 BST 2020
Control: tags -1 moreinfo
Am 09.04.20 um 11:36 schrieb Ivo De Decker:
> package: runescape
> severity: serious
>
> Hi,
>
> It seems runescape downloads a binary and runs it, without verifying its
> integrity. At least the download happens using https, but no other
> verification is done.
Could you quote the relevant part of Debian Policy, that requires
verification (and what kind of verification) of downloaded files. Is
downloading of verified orig tarballs now a requirement or is it still
just sufficient to download the tarball and verify its integrity by hand?
Markus Koschany
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-games-devel/attachments/20200409/3d2646e4/attachment-0001.sig>
More information about the Pkg-games-devel
mailing list