Tim wrote: > It'll take quite some effort, not impossible, but very difficult, to > get a signed compromising package into the repos. One rogue package maintainer could do it easily. In fact, if one rogue upstream provided a tarball with a backdoor in it, it might slip into many distributions before it was noticed. There are source audits of the fedora packages, to check that the tarballs which have been uploaded to our buildsystem match what upstream has provided, but these checks aren't run on a daily basis. And they wouldn't catch the problem of a tarball that was compromised upstream. The scary possibility is that it's probably easier than many people think it is. -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The sunshine bores the daylights out of me. Chasing shadows moonlight mystery.
Description: PGP signature