two questions

[Patrice Dumas]

On Wed, Aug 08, 2007 at 11:21:36PM +1000, John Pye wrote:
> Hi all,
> 
> I have contributed two packages now, and I have some questions that
> don't seem to have been clearly addressed in a way that I've actaully
> understood:
> 
> (1) after my package review, I get to add my files to CVS and build the
> package that ultimately gets into Fedora. What is to stop me from
> uploading something subtly (or even maliciously) different from the
> files that were actually reviewed? Thinking about that, wouldn't it be

Nothing, except other people eyes.

> better if CVS access (or some other kind of controlled file space) were
> used from the *start* of the package review process, rather than only at
> the end?

Another fedora contributor (including the reviewer) can check that the
md5sum in the 'sources' file are the same than during the review. In any
case the same issue happens for every upstream update of the source
tarball. At that point you'll have to change the sources file. Somebody
may check that you used the right source, but if not you may install
something malicious.

You can also do malicious things in the scriptlets, but it is much more
likely to be caught.

> (2) once my package is uploaded at it gets the NEXTRELEASE status, how
> does my package, which is currently shown with
> 'dist-fc7-updates-candidate' tag in koji, end up eventually in the
> Fedora Updates repository? Are there more steps that I need to follow?
> Is there some other review happening?

I wouldn't call it a review, but there is a process to push things to
stable releases:
http://fedoraproject.org/wiki/Infrastructure/UpdatesSystem/Bodhi-info-DRAFT

--
Pat