On Wed, Feb 07, 2007 at 05:12:34PM +0100, Dominik 'Rathann' Mierzejewski wrote: > > That won't happen THAT easily. Isn't the sign-and-push process manual? > Aren't the people who handle it supposed to check what they sign? Although I agree that there are ways to find that the package has been modified, I am not convinced that the fact that sign-and-push is manual is of any help. Indeed I don't think that people doing the sign-and-push can check what they push, it's just too much work. They can be notified, however, that a package has been compromised and remove it from push. > It would be stopped at the sign-and-push stage at worst. I'm sure there are > many eyes following the cvs commits list. It would be spotted quite fast > IMHO. Agreed. And if it is not the case it is what should be corrected. -- Pat -- Fedora-maintainers mailing list Fedora-maintainers@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-maintainers -- Fedora-maintainers-readonly mailing list Fedora-maintainers-readonly@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-maintainers-readonly
