Le vendredi 12 juin 2009, à 11:26 +0200, Marcus Meissner a écrit :
On Fri, Jun 12, 2009 at 12:24:15PM +0300, Gerald Pfeifer wrote:
On Wed, 10 Jun 2009, Karsten König wrote:
The to be used tarball often has md5 sum or other hash on project downloadpage, why not introduce a hashfield for every source in the spec that needs to match the hashsum of the tarball, so a reviewer only needs to verify the hashsums in the .spec files match the ones from project download page, then the ball about malicous code is upstream =)
With FreeBSD we have been doing this for ages, including MD5 and SHA hashes as well as the file size as part of the equivalent of spec there.
It's been working pretty well, so I recommend we do this for openSUSE, too.
Well, the only way to be doing this effectively is to make it mandatory.
(we could make this "recommended" for one cycle, and then mandatory, I guess)
If we enforce this to be mandatory there will be quite an outcry, because we did not do this before and it actually causes even more work.
Sure, it'll be painful. But if it's worth it for security, then we could do some experimentation with volunteers to see if this is something they can handle. Vincent -- Les gens heureux ne sont pas pressés. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org