[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: RPM security (a newbie question)



Rahul Sundaram wrote:
Probably there are lots of packages reviewed by their authors only?

Review and signing are two different processes. Every single new package
has to go through a review process as outlined in

http://fedoraproject.org/wiki/Packaging/ReviewGuidelines

Signing a package is done by a small number of people in the release
engineering team and they do that manually before pushing it into the
repositories.

Well, it looks that those "review guidelines" cover mostly administrative/legal issues. It looks that no one cares about the source code.

So it looks that it's quite possible to have a lot of trojan horses/rootkits/whatever in the distribution tree.

To get rid of it, we would have to review the source code.

STF

=======================================================================
http://eisenbits.homelinux.net/~stf/
OpenPGP: 9D25 3D89 75F1 DF1D F434  25D7 E87F A1B9 B80F 8062
=======================================================================

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]