On Tue, 2004-06-22 at 18:32 -0400, Jeremy Katz wrote: > On Tue, 2004-06-22 at 17:33 -0400, Elliot Lee wrote: > > Adding a 'cvs' dependency to 'gettext' will upset a few people, but it's > > really not that bad a thing. > > Actually, the use of cvs like this strikes me as adding an easy way to > trojan builds. Come up with a way to compromise the CVS server or just > DNS mitm to masquerade as it and then drop in whatever you want into > someone's package. Actually it's my understanding that it doesn't talk to an external server. It extracts a local file (/usr/share/gettext/archive.tar.gz), which is just a tarred-up CVS repository. Why in the world it does this is beyond me, but....
Attachment:
signature.asc
Description: This is a digitally signed message part
