On 2017-09-26, Richard W.M. Jones <rjones@xxxxxxxxxx> wrote: > On Tue, Sep 26, 2017 at 07:18:12AM +0000, Petr Pisar wrote: >> On 2017-09-25, Hedayat Vatankhah <hedayat.fwd@xxxxxxxxx> wrote: >> > /*Pierre-yves Chibon*/ wrote on Mon, 25 Sep 2017 09:38:39 +0200: >> >> It's an interesting idea but then it would become quite hard to check >> >> if there is a mitm attack of some sort. With the current process, at >> >> least the packager has the possibility to check the sources locally >> >> before uploading them into Fedora. >> >> The solution would be to provide the sha + the url and let the down >> >> be server side but that won't save you from downloading the sources >> >> locally first. >> > Yes, but even if I'm forced to download locally, it is much better than >> > being forced to upload it again. (Also, note that the current process >> > doesn't prevent MITM if it happens when I download the source). >> >> A packager is responsible for reviewing the code before uploading it to the >> Fedora infrastructure. It does not mattter whether the code matches what >> upstream released. Actually in some cases the code is intentionally >> changed by the packagers (e.g. when removing bad-licensed code). > > Are there any tools you'd like to suggest for reviewing 100GB > (or even 10MB) of code? > diff. First you review 100GB code, and then you review differences only. Actually you do not need to review 100GB of code. You can unbudle it first. I doubt the 100GB were written from scratch. -- Petr _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx