On Wed, 2006-05-31 at 20:49 +0200, Thorsten Leemhuis wrote: > Ohh, sorry, yes, that was a bit misleading. The problem simply is: who > checks that the md5 sums stored in CVS are fine / those from upstream? > Nobody. I can upload a new version of package "foo" at any time and > include a rootkit in the tarball I upload. No one would notice. Any new entries to the lookaside cache should be logged to the commits list. (Are they already?) Any direct uploads not being grabbed directly from upstream should be watched particularly closely. This is a social problem. Looking for a technical solution to a social problem is barking up the wrong tree. The solution is to ensure reliable accounting is available for the community to monitor.
Description: This is a digitally signed message part