Summary from last weeks FESCo meeting

[Patrice Dumas]

> Ohh, sorry, yes, that was a bit misleading. The problem simply is: who
> checks that the md5 sums stored in CVS are fine / those from upstream?
> Nobody. I can upload a new version of package "foo" at any time and
> include a rootkit in the tarball I upload. No one would notice.

Anybody could notice that the source file has changed and could verify that 
the md5sum matches upstream. I don't think that anybody does, however
(I don't ;)...

--
Pat