On Tue, Nov 25, 2003 at 12:12:12AM +0300, Timothy Ha wrote: > Thank you! > > I still have some questions (not doubts): With thrilling stories like > someone break into Linux kernel source, how do you guarant the quality > of the repositories? Security updates, system tools and so on are there. If someone alters the upstream sources without the upstream developers noticing it, it is hardly possible to audit it on the packagers' level. You can only evade this with a full source code review and reviewing all changes thereafter, which means you need to throw lots of engeneering time at it, which probably only NSA can afford. > Will Redhat be some guarantee to all these things? No, not for Red Hat external resources, and possibly not even for the core set of packages. Maybe some critical packages like kernel and glibc do get full source code review, but I doubt this can be done for all O(1000) packages in a typical RH base distribution. Having said that, RH has a very good record of security audits, as well as the other mentioned repos until now (I remeber the last openssh security update being done by at least 3 repos simultaneously, without the repos having offered openssh previously). But, hey, how can you even trust it is the sender who writes this lines, and who's that guy looking through your window? ;) > Phillip Compton wrote: > > >On Mon, 2003-11-24 at 12:31, Timothy Ha wrote: > > > > > >>What are more or less official repositories for Fedora? > >> > >>fedora.us + freshrpms.net ? > >> > >> > >> > > > >fedora.us is my favorite > > > >freshrpms.net, dag, and ATrpms are all trustable sources. > > > >jpackage is also a good source if you're looking for java related > >packages. > > > > > -- Axel.Thimm@xxxxxxxxxxxxxxxxxxx
Attachment:
pgpbrnLNl24kg.pgp
Description: PGP signature
