On Fri, 2013-05-24 at 10:11 -0700, Adam Williamson wrote: > We could of course build the smarts into the fedpkg layer - have some > fedpkg commands for checking out and building tarballs of SCM-hosted > content - but then you've just moved the security risk Panu mentioned to > that layer; if we do that it kind of sends a bad implication that it's > fine to just trust whatever you get from the SCM URL. I'm not going to debate this extensively, because unless someone who can actually change things is planning to do so, it's just pointless noise. But basically there are two threats: 1) MITM attacks by third parties. Answer: SSL. Yes, it's not perfect, but it's good enough for online banking. Yes, governments and affiliated groups have wildcard certificates, but there are defenses. Manual human signoff on new root CAs would be pretty good. 2) Corrupted repository server side: The answer to this is to have a system that actually *encourages* people to look at the source code. If you truly wanted to be serious about that, we could have a UI that actually you know, unpacks the source by default, diffs it from the previous, and requires human signoff before building it. But at the moment, all the crappy package metadata sadly is what's front and center, not the actual source code. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
