Is this possible in Fedora?
Todd Zullinger
tmz at pobox.com
Fri Dec 11 15:19:35 UTC 2009
Tim wrote:
> It'll take quite some effort, not impossible, but very difficult, to
> get a signed compromising package into the repos.
One rogue package maintainer could do it easily. In fact, if one
rogue upstream provided a tarball with a backdoor in it, it might slip
into many distributions before it was noticed.
There are source audits of the fedora packages, to check that the
tarballs which have been uploaded to our buildsystem match what
upstream has provided, but these checks aren't run on a daily basis.
And they wouldn't catch the problem of a tarball that was compromised
upstream.
The scary possibility is that it's probably easier than many people
think it is.
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The sunshine bores the daylights out of me.
Chasing shadows moonlight mystery.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20091211/f508bd43/attachment-0001.sig>
More information about the fedora-list
mailing list