On Thu, 2013-05-23 at 18:29 +0300, Panu Matilainen wrote: > Rpm >= 4.10 can automatically download remote sources and patches over > http and ftp, but since there's (currently) no way to verify downloaded > content the feature is disabled by default as its quite a security risk > to download arbitrary content from the internet without checking > checksums at least. And note that it's as much Fedora policy as packaging stack capabilities that prevents this happening at present: as discussed in another thread it's a fundamental part of the Fedora packaging system's design that the builders have no outside access, and it's the package maintainer's explicit responsibility to provide the source files to the build system. (The implication of this is that it is the package maintainer's responsibility to provide, and verify that they are providing, the _correct_ sources.) We could of course build the smarts into the fedpkg layer - have some fedpkg commands for checking out and building tarballs of SCM-hosted content - but then you've just moved the security risk Panu mentioned to that layer; if we do that it kind of sends a bad implication that it's fine to just trust whatever you get from the SCM URL. Thinking about this, it's one reason the style of doing 'git snapshot' builds where you have Source0 be the last stable tarball and then include the full patch series to master as generated by 'git format-patch' as Patches could be considered superior to simply including a git master snapshot tarball: at least if someone's concerned about some kind of breach, they have an easily-verifiable base to work off - as there should be an official checksum for the last release tarball - and only have to check the patches for problems, rather than checking the entire tree. I think, to be honest, a lot of us as packagers slip some way short of the 'ideals' here in day-to-day life, but that's probably no excuse for making it _easier_ to avoid our responsibilities :) -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
