[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Summary from last weeks FESCo meeting



On Wed, 2006-05-31 at 20:53 +0200, Patrice Dumas wrote:
> > Ohh, sorry, yes, that was a bit misleading. The problem simply is: who
> > checks that the md5 sums stored in CVS are fine / those from upstream?
> > Nobody. I can upload a new version of package "foo" at any time and
> > include a rootkit in the tarball I upload. No one would notice.
> 
> Anybody could notice that the source file has changed and could verify that 
> the md5sum matches upstream. I don't think that anybody does, however
> (I don't ;)...

If the URL is full path, such a check could be scripted - though some
checks would need to be manual. Probably not at build time, but a
periodic audit.

Such a check could also catch cases where upstream does something dirty
and changes the src tarball without versioning - happened in one package
I reviewed during the review process.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]