https://bugzilla.redhat.com/show_bug.cgi?id=1020292 --- Comment #55 from Simone Caronni <negativo17@xxxxxxxxx> --- (In reply to Suvayu from comment #54) > Unless Fedora can > guarantee that the distributed binary will be identical to the upstream > binary This can never happen. Libraries, compilers, etc. will be different. Based on the same logic there should be one and only Linux distribution that everybody uses. > or at least Fedora infrastructure will provide sufficient > information to the user such that they can verify the Fedora packaged > binaries aren't compromised, Fedora should not be including this in the > repo. Events since 2017 have shown this is an important concern. This can be guaranteed by the various chain of trust (builders, package signatures, etc.) and is easily verifiable. Putting this under doubt means saying the distribution can not be trusted at all and any binary/pacakge in it can be compromised easily. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx
