Thorsten Leemhuis wrote:
Am Donnerstag, den 01.06.2006, 08:51 -0400 schrieb Konstantin Ryabitsev:
On 6/1/06, Thorsten Leemhuis <fedora@xxxxxxxxxxxxx> wrote:
1. create a package, prepare it for review
2. get it reviewed and yourself sponsored
3. import it and build
4. checkout some popular packages, upload new tarballs with a slightly
different names and a root-kit in it. Modify the "Source0" accordingly
5. commit the changes, hit "CTRL-C" at the right point of time so the
commit-message is not send to commits-list
6. wait until the maintainer fixes something else in the package an
rebuilds it without noticing the changes done to CVS in between
Most of us have locally checked out copies of our packages [...]
What makes your sure that "most of us" do it like that? I for example
don't have them because I work on my packages from multiple machines. So
I always do a fresh checkout (that way I always get a up2date common
directory, too).
And in any case: "- instead of "6.": build the modified packages
yourself -- chances are quite low that somebody will notice it" remains.
What I do is I have a checkout on each of the machines I develop on and
do cvs update as needed, when I do an update I check that only files
which I expect to change change. Making it quite hard (but not
impossible) to sneak something in unseen.
As for the immediatly build it trick, I would notice this in the build
report which I always read.
I'm not saying its impossible, I'm saying its not _that_ easy. Maybe we
should write a couple of guidelines for packagerss on how they can check
that there packages aren't modified by someone else without them
knowing? Combine this with having more then one packager for the really
popular packages and I think we're ok.
Regards,
Hans
--
fedora-extras-list mailing list
fedora-extras-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-extras-list
