vsftpd in the news
Adam Williamson
awilliam at redhat.com
Wed Jul 6 04:02:33 UTC 2011
On Tue, 2011-07-05 at 17:11 -0500, Michael Cronenworth wrote:
> On 07/05/2011 11:59 AM, Adam Williamson wrote:
> > That sounds like an excellent idea for a contribution! Remember, the
> > AutoQA project is explicitly designed to allow and indeed encourage
> > tests to be contributed - we would love it if the core AutoQA team
> > worked mostly on the framework, and tests were contributed by many
> > people. Seehttps://fedoraproject.org/wiki/Writing_AutoQA_Tests .
>
> There's a few cavets that have been mentioned in this thread that would
> make this functionality mostly pointless to try and implement.
>
> 1) Not all packages include gpg signatures.
> a) not everyone knows they can include them
> b) SCM checkouts don't have signatures
> c) some projects don't use them
> 2) We don't have a system to validate a gpg signature in place. My
> understanding of GPG is that we would need to house all the public keys
> to validate against. Nothing like this exists. I'm lazy and don't feel
> like creating such a system. :)
>
> We're stuck with the lookaside cache checksum for now.
1) doesn't really matter. So we get some assurance for some packages,
not all; it's still better than none. Don't make the perfect the enemy
of the good.
2) ditto - we can 'house' them in so far as including them as package
sources. If they aren't included then don't run the check. If they are,
run the check...
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net
More information about the devel
mailing list