On Mon, 31 Oct 2016 14:12:24 +0100 Florian Weimer <fweimer@xxxxxxxxxx> wrote: > On 10/31/2016 02:01 PM, Pavel Raiskup wrote: > > On Monday, October 31, 2016 1:45:22 PM CET Florian Weimer wrote: > >> On 10/26/2016 02:45 PM, Pavel Raiskup wrote: > >>> On Wednesday, October 26, 2016 1:33:34 PM CEST Florian Weimer > >>> wrote: > >>>> Debian does not build from SCM, but directly from > >>>> maintainer-uploaded source packages, so there is no need to have > >>>> a private SCM. > >>> > >>> Do we have a good marketing for the fact that we are that > >>> "superior" compared to Debian then? Sounds like a main thing for > >>> for distro comparison article: It sounds like this is much, > >>> *much* more difficult to get malicious software into distribution > >>> (without noticing) for Fedora packager than for Debian packager, > >>> right? > >> > >> You need people to actually look at stuff that's being uploaded. I > >> don't think there is a key difference between Fedora and Debian as > >> far as this aspect is concerned. D > >> > >> In addition, Koji likely allows you to create tagged builds which > >> came from SRPMs, so I don't think there is an actually difference > >> here in terms of attack surface (at least not in Fedora's favor). > > > > Do you mean that this is allowed by policy or that this is > > "implemented"? > > I don't think Koji implements the necessary build provenience checks > to implement a different policy. koji only allows src.rpms to be used for scratch builds or if you have the koji admin permission. Otherwise you must build all official builds from our packages git with a known hash. So, no, regular packagers cannot tag src.rpm builds into anything. kevin
Attachment:
pgpVy_L8TgpOJ.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
