[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: RPM security (a newbie question)



Rahul Sundaram wrote:
> Stanisław T. Findeisen wrote:
>> Well, it looks that those "review guidelines" cover mostly
>> administrative/legal issues. It looks that no one cares about the
>> source code.
>
> You missed that the review guidelines has a source check as well.
> Read it in detail.

While the review guidelines do make sure that the source code matches
upstream¹, that doesn't ensure that upstream doesn't have backdoors,
holes, malicious content, etc.

The only solution for that is more eyes loooking over the code that
makes up the OS.  What mitigates that is knowing that if upstream has
such code, it may be noticed not only by Fedora, but by any other
distro or user.  And that would surely become known rather quickly.

One big advantage that free software has is that anyone is free to
look over the code.  The more people that use that freedom, the better
off we'll all be.

¹ https://fedoraproject.org/wiki/Packaging:ReviewGuidelines includes:
  MUST: The sources used to build the package must match the upstream
  source, as provided in the spec URL.

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I always keep a supply of stimulant handy in case I see a snake -
which I also keep handy.
    -- W. C. Fields

Attachment: pgph8adBbbazN.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]