Summary from last weeks FESCo meeting
Callum Lerwick
seg at haxxed.com
Fri Jun 2 21:21:26 UTC 2006
On Wed, 2006-05-31 at 20:49 +0200, Thorsten Leemhuis wrote:
> Ohh, sorry, yes, that was a bit misleading. The problem simply is: who
> checks that the md5 sums stored in CVS are fine / those from upstream?
> Nobody. I can upload a new version of package "foo" at any time and
> include a rootkit in the tarball I upload. No one would notice.
Any new entries to the lookaside cache should be logged to the commits
list. (Are they already?) Any direct uploads not being grabbed directly
from upstream should be watched particularly closely.
This is a social problem. Looking for a technical solution to a social
problem is barking up the wrong tree. The solution is to ensure reliable
accounting is available for the community to monitor.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-extras-list/attachments/20060602/61243d3f/attachment.sig>
More information about the fedora-extras-list
mailing list