Am Mittwoch, den 31.05.2006, 20:31 +0200 schrieb Michael Schwendt: > On Wed, 31 May 2006 19:36:38 +0200, Thorsten Leemhuis wrote: > > > * scop> | nirik, I assume that buildsys checks md5sums from the > > "sources" file for everything in lookaside cache > > * that wrong -> the sums are not checked (that has problems when > > upstream servers are down or rearrange their layout or ...) and we have > > modified tarballs (mp3 stuff removed) > > scop is right. The buildsys runs "make srpm" which in turn fetches the > md5 sums from the "sources" file and only succeeds in downloading > tarballs from the lookaside cache if they match the md5 sums. You > cannot simply replace a tarball in the lookaside cache, because when > its md5 sum differs, you need to update also the "sources" file. Ohh, sorry, yes, that was a bit misleading. The problem simply is: who checks that the md5 sums stored in CVS are fine / those from upstream? Nobody. I can upload a new version of package "foo" at any time and include a rootkit in the tarball I upload. No one would notice. CU thl -- Thorsten Leemhuis <fedora@xxxxxxxxxxxxx> -- fedora-extras-list mailing list fedora-extras-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-extras-list
