Rahul Sundaram wrote: > Stanisław T. Findeisen wrote: >> Well, it looks that those "review guidelines" cover mostly >> administrative/legal issues. It looks that no one cares about the >> source code. > > You missed that the review guidelines has a source check as well. > Read it in detail. While the review guidelines do make sure that the source code matches upstream¹, that doesn't ensure that upstream doesn't have backdoors, holes, malicious content, etc. The only solution for that is more eyes loooking over the code that makes up the OS. What mitigates that is knowing that if upstream has such code, it may be noticed not only by Fedora, but by any other distro or user. And that would surely become known rather quickly. One big advantage that free software has is that anyone is free to look over the code. The more people that use that freedom, the better off we'll all be. ¹ https://fedoraproject.org/wiki/Packaging:ReviewGuidelines includes: MUST: The sources used to build the package must match the upstream source, as provided in the spec URL. -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I always keep a supply of stimulant handy in case I see a snake - which I also keep handy. -- W. C. Fields
Attachment:
pgp7qRafHNTD3.pgp
Description: PGP signature
-- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines