vsftpd in the news
Paul Wouters
paul at xelerance.com
Tue Jul 5 03:53:38 UTC 2011
On Tue, 5 Jul 2011, Misha Shnurapet wrote:
>> The backdoor payload is interesting. In response to a :) smiley face in the FTP username, a TCP callback shell is attempted.
>
>> There is no obfuscation.
>
> I have a question: how does that relate to our package building process, and are GPG signatures verified?
For Fedora, package maintainers are responsible for uploading verified tar balls to the fedora build
system. I know I check the gpg signatures on the ones I upload, though these are not always available
as separate sig files.
It would be nice if we could upload/commit the .asc or .sig file, and have the rpmbuild script
automatically check the tar ball.
Paul
More information about the devel
mailing list