RPM security (a newbie question)
Todd Zullinger
tmz at pobox.com
Thu Apr 2 12:38:48 UTC 2009
Rahul Sundaram wrote:
> Stanisław T. Findeisen wrote:
>> Well, it looks that those "review guidelines" cover mostly
>> administrative/legal issues. It looks that no one cares about the
>> source code.
>
> You missed that the review guidelines has a source check as well.
> Read it in detail.
While the review guidelines do make sure that the source code matches
upstream¹, that doesn't ensure that upstream doesn't have backdoors,
holes, malicious content, etc.
The only solution for that is more eyes loooking over the code that
makes up the OS. What mitigates that is knowing that if upstream has
such code, it may be noticed not only by Fedora, but by any other
distro or user. And that would surely become known rather quickly.
One big advantage that free software has is that anyone is free to
look over the code. The more people that use that freedom, the better
off we'll all be.
¹ https://fedoraproject.org/wiki/Packaging:ReviewGuidelines includes:
MUST: The sources used to build the package must match the upstream
source, as provided in the spec URL.
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I always keep a supply of stimulant handy in case I see a snake -
which I also keep handy.
-- W. C. Fields
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20090402/9c1dc1b9/attachment-0001.sig>
More information about the fedora-list
mailing list