Re: Pondering security update time frames

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 31 Oct 2016 14:12:24 +0100
Florian Weimer <fweimer@xxxxxxxxxx> wrote:

> On 10/31/2016 02:01 PM, Pavel Raiskup wrote:
> > On Monday, October 31, 2016 1:45:22 PM CET Florian Weimer wrote:  
> >> On 10/26/2016 02:45 PM, Pavel Raiskup wrote:  
> >>> On Wednesday, October 26, 2016 1:33:34 PM CEST Florian Weimer
> >>> wrote:  
> >>>> Debian does not build from SCM, but directly from
> >>>> maintainer-uploaded source packages, so there is no need to have
> >>>> a private SCM.  
> >>>
> >>> Do we have a good marketing for the fact that we are that
> >>> "superior" compared to Debian then?  Sounds like a main thing for
> >>> for distro comparison article:  It sounds like this is much,
> >>> *much* more difficult to get malicious software into distribution
> >>> (without noticing) for Fedora packager than for Debian packager,
> >>> right?  
> >>
> >> You need people to actually look at stuff that's being uploaded.  I
> >> don't think there is a key difference between Fedora and Debian as
> >> far as this aspect is concerned.  D
> >>
> >> In addition, Koji likely allows you to create tagged builds which
> >> came from SRPMs, so I don't think there is an actually difference
> >> here in terms of attack surface (at least not in Fedora's favor).  
> >
> > Do you mean that this is allowed by policy or that this is
> > "implemented"?  
> 
> I don't think Koji implements the necessary build provenience checks
> to implement a different policy.

koji only allows src.rpms to be used for scratch builds or if you have
the koji admin permission. Otherwise you must build all official builds
from our packages git with a known hash.  

So, no, regular packagers cannot tag src.rpm builds into anything. 

kevin


Attachment: pgpVy_L8TgpOJ.pgp
Description: OpenPGP digital signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux