Process Change: Package Reviews with Flags
Patrice Dumas
pertusus at free.fr
Wed Feb 7 16:18:18 UTC 2007
On Wed, Feb 07, 2007 at 05:12:34PM +0100, Dominik 'Rathann' Mierzejewski wrote:
>
> That won't happen THAT easily. Isn't the sign-and-push process manual?
> Aren't the people who handle it supposed to check what they sign?
Although I agree that there are ways to find that the package has been
modified, I am not convinced that the fact that sign-and-push is manual
is of any help. Indeed I don't think that people doing the sign-and-push
can check what they push, it's just too much work. They can be notified,
however, that a package has been compromised and remove it from push.
> It would be stopped at the sign-and-push stage at worst. I'm sure there are
> many eyes following the cvs commits list. It would be spotted quite fast
> IMHO.
Agreed. And if it is not the case it is what should be corrected.
--
Pat
More information about the Fedora-maintainers
mailing list