Am Donnerstag, den 01.06.2006, 08:13 +0200 schrieb Thorsten Leemhuis: > Am Mittwoch, den 31.05.2006, 22:38 +0200 schrieb Michael Schwendt: > But to be fair: Yes, I think it is a problem. IMHO it's currently way to > easy to bring in something nasty to Fedora Extras. Just a quick howto in case if people don't know how easy it is: 1. create a package, prepare it for review 2. get it reviewed and yourself sponsored 3. import it and build 4. checkout some popular packages, upload new tarballs with a slightly different names and a root-kit in it. Modify the "Source0" accordingly 5. commit the changes, hit "CTRL-C" at the right point of time so the commit-message is not send to commits-list 6. wait until the maintainer fixes something else in the package an rebuilds it without noticing the changes done to CVS in between There are slightly variants that even might work better. E.g. - have a popular package in Extras and do it with that directly (that the easiest solution) - instead of "6.": build the modified packages yourself -- chances are quite low that somebody will notice it - instead of "6.": file a bug against the package you modified with a spec-file patch that fixes something in the package without requiring a new version -- the maintainer might apply it and request a rebuild (that is done with the modified tarball you imported to cvs earlier) CU thl -- fedora-extras-list mailing list fedora-extras-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-extras-list
