Re: FAKE: Fedora Extras shipped popular package with rootkit and more than ten thousands systems were infected (was Re: Summary from last weeks FESCo meeting)

[Thorsten Leemhuis <fedora leemhuis info>]

Am Donnerstag, den 01.06.2006, 11:09 -0400 schrieb seth vidal:
> On Thu, 2006-06-01 at 17:00 +0200, Thorsten Leemhuis wrote:
> > The biggest problem probably is: There are plans to switch away from CVS
> > to something else after FC6 (no, that's all I know). So investing to
> > much time in the current system probably is not worth the trouble.
> > 
> > I would sleep already a lot better if at least the issue with "hit CTRL
> > +C at the right moment and no commit mail with the changes will be send"
> > would be fixed. But I don't know CVS enough and would be really glad if
> > someone could look into that. 
> > 
> > I would even sleep really good if there would be a mechanism that checks
> > md5sum's against upstream packages. But that's quite complicated to
> > implement and might be to much overhead.
> > 
> Actually, is it all that complicated?
> 
> for each package in cvs:
>  1. download the spec file
>  2. download the tarball that's been uploaded
>  3. download link in Source0 or Source
>  4. compare checksum to tarball's checksum
>  5. keep track of url to Source0 or Source and emit a notice whenever it
> changes
>
> wouldn't that really be all there is to it?.

Who says that the link to Source0 or Source is correct and not faked,
too? We would have to manage a whitelist for the script.

CU
thl

-- 
Thorsten Leemhuis <fedora leemhuis info>