vsftpd in the news

Andreas Schwab schwab at redhat.com
Tue Jul 5 09:01:15 UTC 2011

Michael Schwendt <mschwendt at gmail.com> writes:

> The uploaded tarball checksum enters the "sources" file in git, and any
> tarball downloaded from the lookaside cache MUST match that checksum.
> Else it wouldn't be downloaded and used. Source RPM build in koji would
> fail.

That won't help if the tarball is already defective when uploaded.  The
checksum is basically only used to identify the blob in the cache, at
most to detect cache corruptions.


Andreas Schwab, schwab at redhat.com
GPG Key fingerprint = D4E8 DBE3 3813 BB5D FA84  5EC7 45C6 250E 6F00 984E
"And now for something completely different."

More information about the devel mailing list