11 Jun
2009
11 Jun
'09
06:55
On Wednesday 10 of June 2009 20:22:19 Karsten König wrote:
- Review tarballs for malicious code. Very hard.
The to be used tarball often has md5 sum or other hash on project downloadpage, why not introduce a hashfield for every source in the spec that needs to match the hashsum of the tarball, so a reviewer only needs to verify the hashsums in the .spec files match the ones from project download page, then the ball about malicous code is upstream =)
There's a planned feature of BuildService - it will be able to download source code directly from upstream. Regards Michal Vyskocil -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org