Re: Is this possible in Fedora?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Tim wrote:
> It'll take quite some effort, not impossible, but very difficult, to
> get a signed compromising package into the repos.

One rogue package maintainer could do it easily.  In fact, if one
rogue upstream provided a tarball with a backdoor in it, it might slip
into many distributions before it was noticed.

There are source audits of the fedora packages, to check that the
tarballs which have been uploaded to our buildsystem match what
upstream has provided, but these checks aren't run on a daily basis.
And they wouldn't catch the problem of a tarball that was compromised
upstream.

The scary possibility is that it's probably easier than many people
think it is.

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The sunshine bores the daylights out of me.
Chasing shadows moonlight mystery.

Attachment: pgph49lhXfd0P.pgp
Description: PGP signature

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux