RPM submission procedure
Enrico Scholz
enrico.scholz at informatik.tu-chemnitz.de
Thu Jan 8 01:43:42 UTC 2004
esr at thyrsus.com ("Eric S. Raymond") writes:
>> Something like how I started this Bugzilla report is one way packages
>> are submitted. Only the URL to SRPM, URL to md5sums.asc, and a short
>> description about what the package does.
> ...
>
> (2) Don't RPMs have their own internal checksum?
Yes, they have but we request the md5sums because of security reasons:
hostile packager could replace the package with a malicious version
after a successful review.
The buildsystem verifies actual and expected MD5sum to prevent this kind
of attack.
Enrico
More information about the fedora-devel-list
mailing list