On Tue, 5 Jul 2011, Misha Shnurapet wrote:
> The backdoor payload is interesting. In response to a :) smiley
face in the FTP username, a TCP callback shell is attempted.
> There is no obfuscation.
I have a question: how does that relate to our package building process, and are GPG
signatures verified?
For Fedora, package maintainers are responsible for uploading verified tar balls to the
fedora build
system. I know I check the gpg signatures on the ones I upload, though these are not
always available
as separate sig files.
It would be nice if we could upload/commit the .asc or .sig file, and have the rpmbuild
script
automatically check the tar ball.
Paul