Mailinglist Archive: opensuse-factory (471 mails)

< Previous Next >
Re: [opensuse-factory] Security Implications of opening Factory
  • From: Vincent Untz <vuntz@xxxxxxxxxxxx>
  • Date: Sat, 13 Jun 2009 16:13:43 +0200
  • Message-id: <20090613141343.GV10754@xxxxxxxxx>
Le vendredi 12 juin 2009, à 11:26 +0200, Marcus Meissner a écrit :
On Fri, Jun 12, 2009 at 12:24:15PM +0300, Gerald Pfeifer wrote:
On Wed, 10 Jun 2009, Karsten König wrote:
The to be used tarball often has md5 sum or other hash on project
downloadpage, why not introduce a hashfield for every source in the spec
that needs to match the hashsum of the tarball, so a reviewer only needs
to verify the hashsums in the .spec files match the ones from project
download page, then the ball about malicous code is upstream =)

With FreeBSD we have been doing this for ages, including MD5 and SHA
hashes as well as the file size as part of the equivalent of spec there.

It's been working pretty well, so I recommend we do this for openSUSE,
too.

Well, the only way to be doing this effectively is to make it mandatory.

(we could make this "recommended" for one cycle, and then mandatory, I
guess)

If we enforce this to be mandatory there will be quite an outcry, because
we did not do this before and it actually causes even more work.

Sure, it'll be painful. But if it's worth it for security, then we could
do some experimentation with volunteers to see if this is something they
can handle.

Vincent

--
Les gens heureux ne sont pas pressés.
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx

< Previous Next >