Am Montag, 31. Januar 2011, 22:22:40 schrieb Cristian Morales Vega:
2011/1/31 Adrian Schröter <adrian@suse.de>:
No, and this is on purpose.
There must be the guarantee that the _service: files are really generated in the way the services are working. They are used to create the required trust in the uploaded sources. So it will never be allowed to upload them.
Or we would be in the same situation that a packager or distro owner needs to review all uploaded tar balls and check against their upstream project manually.
This same problem could not be simulated using two SVN repos? I create my own SVN repo, do the first checkout, and then change the _service to point to the real SVN? I don't really know enough about SVN internal working to say...
When you change the _service file, it is part of the source log. The only way to trick this is to change it on the svn server or doing a man in the middle attack. The first would mean that did anyway a mistake to trust this upstream project and the latter is not that easy to do... bye adrian -- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org