> Ohh, sorry, yes, that was a bit misleading. The problem simply is: who > checks that the md5 sums stored in CVS are fine / those from upstream? > Nobody. I can upload a new version of package "foo" at any time and > include a rootkit in the tarball I upload. No one would notice. Anybody could notice that the source file has changed and could verify that the md5sum matches upstream. I don't think that anybody does, however (I don't ;)... -- Pat -- fedora-extras-list mailing list fedora-extras-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-extras-list
