[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: RPM security (a newbie question)



Todd Zullinger wrote:
> Rahul Sundaram wrote:
>> Stanisław T. Findeisen wrote:
>>> Well, it looks that those "review guidelines" cover mostly
>>> administrative/legal issues. It looks that no one cares about the
>>> source code.
>> You missed that the review guidelines has a source check as well.
>> Read it in detail.
> 
> While the review guidelines do make sure that the source code matches
> upstream¹, that doesn't ensure that upstream doesn't have backdoors,
> holes, malicious content, etc.

That's a totally different question IMO. We at the distribution level
can only check whether there is a packaging level attempt at introducing
a security hole. Doing a complete security audit of all the code that is
being included is not feasible at all at the distribution level. This
btw, has nothing to do with RPM or any other packaging method. All
distributions work on the principle that upstream projects are
responsible at the code level for their own security. We can add things
like compiler options and firewalls but that doesn't prevent a upstream
security hole from being exploited, whether introduced accidentally or not.

Rahul


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]