Bug#956276: runescape: downloads unverified binary and runs it
Stephen Kitt
skitt at debian.org
Thu Apr 9 12:24:16 BST 2020
On Thu, 9 Apr 2020 12:37:03 +0200, Markus Koschany <apo at debian.org> wrote:
> Am 09.04.20 um 11:36 schrieb Ivo De Decker:
> > It seems runescape downloads a binary and runs it, without verifying its
> > integrity. At least the download happens using https, but no other
> > verification is done.
>
> Could you quote the relevant part of Debian Policy, that requires
> verification (and what kind of verification) of downloaded files. Is
> downloading of verified orig tarballs now a requirement or is it still
> just sufficient to download the tarball and verify its integrity by hand?
This is a bit different: runescape downloads a binary the first time it’s
run by any given user, so each user can potentially get a different binary.
Checking orig tarballs (whether using a signing key or manually) produces a
result which remains the same for all users...
Regards,
Stephen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-games-devel/attachments/20200409/d8f13e95/attachment.sig>
More information about the Pkg-games-devel
mailing list