On 10/31/2016 02:01 PM, Pavel Raiskup wrote:
On Monday, October 31, 2016 1:45:22 PM CET Florian Weimer wrote:
On 10/26/2016 02:45 PM, Pavel Raiskup wrote:
On Wednesday, October 26, 2016 1:33:34 PM CEST Florian Weimer wrote:
Debian does not build from SCM, but directly from maintainer-uploaded
source packages, so there is no need to have a private SCM.
Do we have a good marketing for the fact that we are that "superior"
compared to Debian then? Sounds like a main thing for for distro comparison
article: It sounds like this is much, *much* more difficult to get malicious
software into distribution (without noticing) for Fedora packager than for
Debian packager, right?
You need people to actually look at stuff that's being uploaded. I
don't think there is a key difference between Fedora and Debian as far
as this aspect is concerned. D
In addition, Koji likely allows you to create tagged builds which came
from SRPMs, so I don't think there is an actually difference here in
terms of attack surface (at least not in Fedora's favor).
Do you mean that this is allowed by policy or that this is "implemented"?
I don't think Koji implements the necessary build provenience checks to
implement a different policy.
Thanks,
Florian
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx