RPM security (a newbie question)
"Stanisław T. Findeisen"
sf181257 at students.mimuw.edu.pl
Thu Apr 2 13:20:33 UTC 2009
Rahul Sundaram wrote:
>> While the review guidelines do make sure that the source code matches
>> upstream¹, that doesn't ensure that upstream doesn't have backdoors,
>> holes, malicious content, etc.
>
> That's a totally different question IMO. We at the distribution level
> can only check whether there is a packaging level attempt at introducing
> a security hole. Doing a complete security audit of all the code that is
> being included is not feasible at all at the distribution level. This
> btw, has nothing to do with RPM or any other packaging method. All
> distributions work on the principle that upstream projects are
> responsible at the code level for their own security. We can add things
> like compiler options and firewalls but that doesn't prevent a upstream
> security hole from being exploited, whether introduced accidentally or not.
Okay is there any software written specifically for Fedora? KDE gadgets,
or such?
If so, then I guess we should monitor it at the distribution level.
STF
=======================================================================
http://eisenbits.homelinux.net/~stf/
OpenPGP: 9D25 3D89 75F1 DF1D F434 25D7 E87F A1B9 B80F 8062
=======================================================================
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20090402/7555d0c8/attachment-0001.sig>
More information about the fedora-list
mailing list