Dealing with circular BuildRequires?

Jesse Keating jkeating at j2solutions.net
Fri Oct 7 16:25:25 UTC 2011


On Oct 7, 2011, at 8:21 AM, Till Maas wrote:
> On Fri, Oct 07, 2011 at 07:53:25AM -0700, Jesse Keating wrote:
> 
>> Might have gone quicker if you pull via git:// and then only push via ssh:// reducing your ssh handshakes by half.
> 
> How do you ensure the integrity of the git repo if it is pulled via
> git://? As far as I can see doing this automatically is an invitation to
> perform man-in-the-middle attacks.
> 
> Kind Regards
> Till


Sure that's a risk.  It'd take a fairly sophisticated attach to take advantage of it, but yes, it's a risk.  Strikes me as easier to just fake your way into the packager group and upload your bad-bits that way.  Everything is a balance between risk and performance.

- jlk




More information about the devel mailing list