Dean S. Messing wrote:
> Out of curiosity (and Off Topic), what mechanism is used to check if
> a malevolent author sneeks a security hole into their package? Is
> there an independent review of all the source code?
There isn't a required full code review before a package can be
accepted. It would be nice to do this, but it'd mean that there
wouldn't be a lot of packages in the repositories.
The main integrity check on packages is that they match the upstream
project. This is usually checked via sha1sum. Of course, if the
upstream release has a security hole (malevolent or not), it will
still be present in Fedora unless the reviewer notices it.
This is a hard problem to solve. It's often said that free software
has less bugs and security holes because anyone can review the code,
but that doesn't mean that someone always does so or that they notice
the holes that may be there. For example, there were some security
holes in gnupg that lurked there for years before someone pointed them
out -- and that's in a program that you'd expect more eyes were
looking over for such problems.
If you're curious to read through the guidelines that are used when
creating/reviewing packages for Fedora, they're at:
http://fedoraproject.org/wiki/Packaging/Guidelines
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
So I don't get hurt?! Thats the best you can come up with you
dull-witted termagant!
-- Stewie Griffin, on why he needs a car seat
Attachment:
pgpZU90JdQRFc.pgp
Description: PGP signature
