On Tue, Sep 26, 2017 at 07:18:12AM +0000, Petr Pisar wrote: > On 2017-09-25, Hedayat Vatankhah <hedayat.fwd@xxxxxxxxx> wrote: > > /*Pierre-yves Chibon*/ wrote on Mon, 25 Sep 2017 09:38:39 +0200: > >> It's an interesting idea but then it would become quite hard to check > >> if there is a mitm attack of some sort. With the current process, at > >> least the packager has the possibility to check the sources locally > >> before uploading them into Fedora. > >> The solution would be to provide the sha + the url and let the down > >> be server side but that won't save you from downloading the sources > >> locally first. > > Yes, but even if I'm forced to download locally, it is much better than > > being forced to upload it again. (Also, note that the current process > > doesn't prevent MITM if it happens when I download the source). > > A packager is responsible for reviewing the code before uploading it to the > Fedora infrastructure. It does not mattter whether the code matches what > upstream released. Actually in some cases the code is intentionally > changed by the packagers (e.g. when removing bad-licensed code). Are there any tools you'd like to suggest for reviewing 100GB (or even 10MB) of code? Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-builder quickly builds VMs from scratch http://libguestfs.org/virt-builder.1.html _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
