On 16.02.2015, Ranjan Maitra wrote: > The problem I am having is that the stapler version at the URL is called > stapler-master.. In the .spec file, you have a line like this: Source0: https://github.com/hellerbarde/stapler/archive/master.zip I think this is a security hole, because anybody with access to the git tree can manipulate the code which gets packaged here, and your rpm build process will gladly download and build it. How about downloading the source, building and and distributing it via the official Fedora repos, with you as the maintainer? The .rpm would get signed. Btw: a big thanks that you try to help us out by replacing pdftk. It is/was a tool I used a lot, and I appreciate your work! -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
