[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: FAKE: Fedora Extras shipped popular package with rootkit and more than ten thousands systems were infected (was Re: Summary from last weeks FESCo meeting)
- From: Thorsten Leemhuis <fedora leemhuis info>
- To: Discussion related to Fedora Extras <fedora-extras-list redhat com>
- Subject: Re: FAKE: Fedora Extras shipped popular package with rootkit and more than ten thousands systems were infected (was Re: Summary from last weeks FESCo meeting)
- Date: Thu, 01 Jun 2006 15:03:02 +0200
Am Donnerstag, den 01.06.2006, 08:51 -0400 schrieb Konstantin Ryabitsev:
> On 6/1/06, Thorsten Leemhuis <fedora leemhuis info> wrote:
> > 1. create a package, prepare it for review
> > 2. get it reviewed and yourself sponsored
> > 3. import it and build
> > 4. checkout some popular packages, upload new tarballs with a slightly
> > different names and a root-kit in it. Modify the "Source0" accordingly
> > 5. commit the changes, hit "CTRL-C" at the right point of time so the
> > commit-message is not send to commits-list
> > 6. wait until the maintainer fixes something else in the package an
> > rebuilds it without noticing the changes done to CVS in between
> Most of us have locally checked out copies of our packages [...]
What makes your sure that "most of us" do it like that? I for example
don't have them because I work on my packages from multiple machines. So
I always do a fresh checkout (that way I always get a up2date common
directory, too).
And in any case: "- instead of "6.": build the modified packages
yourself -- chances are quite low that somebody will notice it" remains.
Cu
thl
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]