Summary from last weeks FESCo meeting

Michael A. Peters mpeters at mac.com
Wed May 31 21:26:30 UTC 2006


On Wed, 2006-05-31 at 20:53 +0200, Patrice Dumas wrote:
> > Ohh, sorry, yes, that was a bit misleading. The problem simply is: who
> > checks that the md5 sums stored in CVS are fine / those from upstream?
> > Nobody. I can upload a new version of package "foo" at any time and
> > include a rootkit in the tarball I upload. No one would notice.
> 
> Anybody could notice that the source file has changed and could verify that 
> the md5sum matches upstream. I don't think that anybody does, however
> (I don't ;)...

If the URL is full path, such a check could be scripted - though some
checks would need to be manual. Probably not at build time, but a
periodic audit.

Such a check could also catch cases where upstream does something dirty
and changes the src tarball without versioning - happened in one package
I reviewed during the review process.




More information about the fedora-extras-list mailing list