Am Donnerstag, den 01.06.2006, 15:10 +0200 schrieb Hans de Goede: > Thorsten Leemhuis wrote: > > Am Donnerstag, den 01.06.2006, 08:51 -0400 schrieb Konstantin Ryabitsev: > >> On 6/1/06, Thorsten Leemhuis <fedora@xxxxxxxxxxxxx> wrote: > >>> 1. create a package, prepare it for review > >>> 2. get it reviewed and yourself sponsored > >>> 3. import it and build > >>> 4. checkout some popular packages, upload new tarballs with a slightly > >>> different names and a root-kit in it. Modify the "Source0" accordingly > >>> 5. commit the changes, hit "CTRL-C" at the right point of time so the > >>> commit-message is not send to commits-list > >>> 6. wait until the maintainer fixes something else in the package an > >>> rebuilds it without noticing the changes done to CVS in between > >> Most of us have locally checked out copies of our packages [...] > > What makes your sure that "most of us" do it like that? I for example > > don't have them because I work on my packages from multiple machines. So > > I always do a fresh checkout (that way I always get a up2date common > > directory, too). > > And in any case: "- instead of "6.": build the modified packages > > yourself -- chances are quite low that somebody will notice it" remains. > What I do is I have a checkout on each of the machines I develop on and > do cvs update as needed, when I do an update I check that only files > which I expect to change change. Making it quite hard (but not > impossible) to sneak something in unseen. > > As for the immediatly build it trick, I would notice this in the build > report which I always read. And yum would have installed it already on some machines if you were asleep when the packages were pushed (not to mention that the packages would be on several mirrors in between, too; and also ignoring the fact we're all offline for longer now and then -- weekends, holidays, illness, ...). > I'm not saying its impossible, I'm saying its not _that_ easy. I'm saying we can't make it impossible that something bad sneaks in, but currently it's IMHO to easy and we should make it harder without making it much harder for the contributors. > Maybe we > should write a couple of guidelines for packagerss on how they can check > that there packages aren't modified by someone else without them > knowing? Combine this with having more then one packager for the really > popular packages and I think we're ok. That's a lot of work for the contributors, overloads them and has a high risk that at least some contributors simply ignore the "guidelines" and don't check there stuff properly IMHO. CU thl -- fedora-extras-list mailing list fedora-extras-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-extras-list
