On Wed, 2006-05-31 at 20:53 +0200, Patrice Dumas wrote: > > Ohh, sorry, yes, that was a bit misleading. The problem simply is: who > > checks that the md5 sums stored in CVS are fine / those from upstream? > > Nobody. I can upload a new version of package "foo" at any time and > > include a rootkit in the tarball I upload. No one would notice. > > Anybody could notice that the source file has changed and could verify that > the md5sum matches upstream. I don't think that anybody does, however > (I don't ;)... If the URL is full path, such a check could be scripted - though some checks would need to be manual. Probably not at build time, but a periodic audit. Such a check could also catch cases where upstream does something dirty and changes the src tarball without versioning - happened in one package I reviewed during the review process. -- fedora-extras-list mailing list fedora-extras-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-extras-list
