[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Summary from last weeks FESCo meeting



On Wed, 2006-05-31 at 20:49 +0200, Thorsten Leemhuis wrote:
> Ohh, sorry, yes, that was a bit misleading. The problem simply is: who
> checks that the md5 sums stored in CVS are fine / those from upstream?
> Nobody. I can upload a new version of package "foo" at any time and
> include a rootkit in the tarball I upload. No one would notice.

Any new entries to the lookaside cache should be logged to the commits
list. (Are they already?) Any direct uploads not being grabbed directly
from upstream should be watched particularly closely.

This is a social problem. Looking for a technical solution to a social
problem is barking up the wrong tree. The solution is to ensure reliable
accounting is available for the community to monitor.

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]