Summary from last weeks FESCo meeting
Michael A. Peters
mpeters at mac.com
Wed May 31 21:26:30 UTC 2006
On Wed, 2006-05-31 at 20:53 +0200, Patrice Dumas wrote:
> > Ohh, sorry, yes, that was a bit misleading. The problem simply is: who
> > checks that the md5 sums stored in CVS are fine / those from upstream?
> > Nobody. I can upload a new version of package "foo" at any time and
> > include a rootkit in the tarball I upload. No one would notice.
>
> Anybody could notice that the source file has changed and could verify that
> the md5sum matches upstream. I don't think that anybody does, however
> (I don't ;)...
If the URL is full path, such a check could be scripted - though some
checks would need to be manual. Probably not at build time, but a
periodic audit.
Such a check could also catch cases where upstream does something dirty
and changes the src tarball without versioning - happened in one package
I reviewed during the review process.
More information about the fedora-extras-list
mailing list