RPM security (a newbie question)
"Stanisław T. Findeisen"
sf181257 at students.mimuw.edu.pl
Thu Apr 2 11:45:58 UTC 2009
Rahul Sundaram wrote:
>> Probably there are lots of packages reviewed by their authors only?
>
> Review and signing are two different processes. Every single new package
> has to go through a review process as outlined in
>
> http://fedoraproject.org/wiki/Packaging/ReviewGuidelines
>
> Signing a package is done by a small number of people in the release
> engineering team and they do that manually before pushing it into the
> repositories.
Well, it looks that those "review guidelines" cover mostly
administrative/legal issues. It looks that no one cares about the source
code.
So it looks that it's quite possible to have a lot of trojan
horses/rootkits/whatever in the distribution tree.
To get rid of it, we would have to review the source code.
STF
=======================================================================
http://eisenbits.homelinux.net/~stf/
OpenPGP: 9D25 3D89 75F1 DF1D F434 25D7 E87F A1B9 B80F 8062
=======================================================================
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20090402/de6e56d2/attachment-0001.sig>
More information about the fedora-list
mailing list