vsftpd in the news
Michael Cronenworth
mike at cchtml.com
Tue Jul 5 22:05:45 UTC 2011
On 07/05/2011 03:46 AM, Michael Schwendt wrote:
> Some packagers do upload the detached sig and add it to the spec
> as another Source file URL.
Great! Except I haven't done so. I wasn't required to submit a signature
for my package nor does the Package Guildline pages refer to doing so.
Might be worth someone's time to mention it on the wiki (who knows about
this functionality).
> The uploaded tarball checksum enters the "sources" file in git, and any
> tarball downloaded from the lookaside cache MUST match that checksum.
> Else it wouldn't be downloaded and used. Source RPM build in koji would
> fail.
This is just a checksum against the tarball that enters the lookaside
cache. Yes, I know about this. A malicious package could have been
uploaded to the lookaside cache, however. This leads to demanding
everyone have signatures available, but what do you do about SVN/Git
checkouts or projects that don't wish to provide signatures?
More information about the devel
mailing list