Rahul Sundaram wrote:
While the review guidelines do make sure that the source code matches upstream¹, that doesn't ensure that upstream doesn't have backdoors, holes, malicious content, etc.That's a totally different question IMO. We at the distribution level can only check whether there is a packaging level attempt at introducing a security hole. Doing a complete security audit of all the code that is being included is not feasible at all at the distribution level. This btw, has nothing to do with RPM or any other packaging method. All distributions work on the principle that upstream projects are responsible at the code level for their own security. We can add things like compiler options and firewalls but that doesn't prevent a upstream security hole from being exploited, whether introduced accidentally or not.
Okay is there any software written specifically for Fedora? KDE gadgets, or such?
If so, then I guess we should monitor it at the distribution level. STF ======================================================================= http://eisenbits.homelinux.net/~stf/ OpenPGP: 9D25 3D89 75F1 DF1D F434 25D7 E87F A1B9 B80F 8062 =======================================================================
Description: OpenPGP digital signature