[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Summary from last weeks FESCo meeting



> Ohh, sorry, yes, that was a bit misleading. The problem simply is: who
> checks that the md5 sums stored in CVS are fine / those from upstream?
> Nobody. I can upload a new version of package "foo" at any time and
> include a rootkit in the tarball I upload. No one would notice.

Anybody could notice that the source file has changed and could verify that 
the md5sum matches upstream. I don't think that anybody does, however
(I don't ;)...

--
Pat


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]