On Monday, October 31, 2016 1:45:22 PM CET Florian Weimer wrote: > On 10/26/2016 02:45 PM, Pavel Raiskup wrote: > > On Wednesday, October 26, 2016 1:33:34 PM CEST Florian Weimer wrote: > >> Debian does not build from SCM, but directly from maintainer-uploaded > >> source packages, so there is no need to have a private SCM. > > > > Do we have a good marketing for the fact that we are that "superior" > > compared to Debian then? Sounds like a main thing for for distro comparison > > article: It sounds like this is much, *much* more difficult to get malicious > > software into distribution (without noticing) for Fedora packager than for > > Debian packager, right? > > You need people to actually look at stuff that's being uploaded. I > don't think there is a key difference between Fedora and Debian as far > as this aspect is concerned. D > > In addition, Koji likely allows you to create tagged builds which came > from SRPMs, so I don't think there is an actually difference here in > terms of attack surface (at least not in Fedora's favor). Do you mean that this is allowed by policy or that this is "implemented"? Pavel _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
