Bug#956276: runescape: downloads unverified binary and runs it
Markus Koschany
apo at debian.org
Thu Apr 9 12:44:01 BST 2020
Am 09.04.20 um 13:24 schrieb Stephen Kitt:
> On Thu, 9 Apr 2020 12:37:03 +0200, Markus Koschany <apo at debian.org> wrote:
>> Am 09.04.20 um 11:36 schrieb Ivo De Decker:
>>> It seems runescape downloads a binary and runs it, without verifying its
>>> integrity. At least the download happens using https, but no other
>>> verification is done.
>>
>> Could you quote the relevant part of Debian Policy, that requires
>> verification (and what kind of verification) of downloaded files. Is
>> downloading of verified orig tarballs now a requirement or is it still
>> just sufficient to download the tarball and verify its integrity by hand?
>
> This is a bit different: runescape downloads a binary the first time it’s
> run by any given user, so each user can potentially get a different binary.
> Checking orig tarballs (whether using a signing key or manually) produces a
> result which remains the same for all users...
How is this any different? It is possible that tarballs from github.com
differ each time a user is downloading them, but we don't require
verification. Where is this documented in Debian Policy as a "must"
requirement?
Note that we are talking about a non-free game here. The user has to
trust the publisher and there is nothing Debian can do about it. We only
provide a simple helper script to download the binary, which is done
about a secure transport channel. This is just a little more convenient
than to download it directly with your favorite web browser.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-games-devel/attachments/20200409/29007d01/attachment.sig>
More information about the Pkg-games-devel
mailing list