Web lists-archives.com

Re: Fwd: can anyone review diaspora-installer?




On Thu, Apr 06, 2017 at 11:17:26AM +0530, Pirate Praveen wrote:
> Sharing with wider debian community, hoping to get some support.

I'm afraid I cannot give my support to this. I'm not involved with
release management, so this is just one rando developer's opinion.

> Current version in unstable does not have any RC bugs

Possibly it should. Looking at

https://sources.debian.net/src/diaspora-installer/0.6.3.0%2Bdebian4/diaspora-download.sh/

If I read that code correctly, it downloads code from github, and
installs it. There is no verification step that the downloaded content
is valid and hasn't been substituted by an attacker. This seems to me
unfit for a Debian stable release. I would expect the package to check
the checksum of the downloaded tarball, or similar mechanism.

-- 
I want to build worthwhile things that might last. --joeyh

Attachment: signature.asc
Description: PGP signature