After reading reports about vulnerabilities in some FreeBSD tools for maintaining the Ports tree (in German) Ein anonymes Dokument beschreibt Sicherheitslücken in FreeBSD-Komponenten. http://www.golem.de/news/anonymes-dokument-angriffe-auf-den-freebsd-update-p... (the linked English text) NON-CRYPTANALYTIC ATTACKS AGAINST FREEBSD UPDATE COMPONENTS https://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f some people are discussing (in German) about the possibility of similar issues in Linux software maintenance infrastructure. In short FreeBSD users download source code archives from public FTP/HTTP oder HTTPS servers automatically with Ports tools like a simple "make" in /usr/ports or with advanced tools like Portsnap. After download tools like Portsnap or Make verify the downloaded source archive against locally stored checksums and sizes in the Ports tree. For instance Bash (bash-4.3.tar.gz) and bash patches are verified against the locally stored file /usr/ports/shells/bash/distinfo: /usr/ports> cat shells/bash/distinfo TIMESTAMP = 1467096568 SHA256 (bash/bash-4.3.tar.gz) = afc687a28e0e24dc21b988fa159ff9dbcf6b7caa92ade8645cc6d5605cd024d4 SIZE (bash/bash-4.3.tar.gz) = 7955839 SHA256 (bash/bash43-001) = ecb3dff2648667513e31554b3ad054ccd89fce38e33367c9459ac3a285153742 SIZE (bash/bash43-001) = 1617 [...] openSUSE does not use a Ports system like FreeBSD. All source code archive downloads are handled by the package maintainer who uploads the archives to openSUSE build service or by service scripts which download source code archives automatically using a secured infrastructure in the build service. But I wonder how we check the integrity of source code archives in the openSUSE Build service? I never saw any checksums or PGP signatures in build service projects. Of course one problem is, that it's not always easy to find reliable checksums or signatures for any upstream project. Greetings, Björn -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org