On 11/28/2015 11:53 PM, Alexander Ploumistos wrote: > On Sun, Nov 29, 2015 at 12:21 AM, Till Maas <opensource@xxxxxxxxx> wrote: >> On Sun, Nov 29, 2015 at 12:10:07AM +0200, Alexander Ploumistos wrote: >>> How come datagrepper lists FAF reports for the package from 2015-07-20, >>> when it hadn't been included yet? >> >> Who said it was not included? It was until now. It will be gone from the >> mirrors after the next update push. > > The package is first mentioned in the package db on the 20th of November (2015): > https://admin.fedoraproject.org/pkgdb/package/rpg/timeline > > However, datagrepper has FAF reports for rpg that were filed in July and August: > https://apps.fedoraproject.org/datagrepper/raw?package=rpg&topic=org.fedoraproject.prod.faf.report.threshold1 > > How is that possible? Apparently, ABRT reports crashes for packages not part of Fedora. Here's another example: <https://apps.fedoraproject.org/datagrepper/raw?package=SpiderOakBlue&topic=org.fedoraproject.prod.faf.report.threshold1> A possible fix would be to look at the signing key in the RPM database and report only packages which are signed with an official Fedora key. But that does not work because not all packages are signed. But apart from that, I don't see any way to identify Fedora packages as genuine. Florian -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
