Re: Is it possible to upload new sources of a package from a URL?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2017-09-25, Hedayat Vatankhah <hedayat.fwd@xxxxxxxxx> wrote:
> /*Pierre-yves Chibon*/ wrote on Mon, 25 Sep 2017 09:38:39 +0200:
>> It's an interesting idea but then it would become quite hard to check
>> if there is a mitm attack of some sort. With the current process, at
>> least the packager has the possibility to check the sources locally
>> before uploading them into Fedora.
>> The solution would be to provide the sha + the url and let the down
>> be server side but that won't save you from downloading the sources
>> locally first.
> Yes, but even if I'm forced to download locally, it is much better than 
> being forced to upload it again. (Also, note that the current process 
> doesn't prevent MITM if it happens when I download the source).

A packager is responsible for reviewing the code before uploading it to the
Fedora infrastructure. It does not mattter whether the code matches what
upstream released. Actually in some cases the code is intentionally
changed by the packagers (e.g. when removing bad-licensed code).

In other words Fedora does not care about MITM between the upstream and
the packager. What matters is connection between the packager and
Fedora.

That does not mean the packager should not be concerned by MITM on him
or upstream. It just cannot to be Fedora's business.

-- Petr
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux