[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Is this possible in Fedora?



Tim wrote:
> It'll take quite some effort, not impossible, but very difficult, to
> get a signed compromising package into the repos.

One rogue package maintainer could do it easily.  In fact, if one
rogue upstream provided a tarball with a backdoor in it, it might slip
into many distributions before it was noticed.

There are source audits of the fedora packages, to check that the
tarballs which have been uploaded to our buildsystem match what
upstream has provided, but these checks aren't run on a daily basis.
And they wouldn't catch the problem of a tarball that was compromised
upstream.

The scary possibility is that it's probably easier than many people
think it is.

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The sunshine bores the daylights out of me.
Chasing shadows moonlight mystery.

Attachment: pgpr5DraPcHlV.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]