Mailinglist Archive: opensuse-factory (471 mails)

< Previous Next >
Re: [opensuse-factory] Security Implications of opening Factory
  • From: Karsten König <remur@xxxxxxx>
  • Date: Sat, 13 Jun 2009 15:52:25 +0200
  • Message-id: <200906131552.26089.remur@xxxxxxx>

Am Freitag, 12. Juni 2009 11:26:31 schrieb Marcus Meissner:
Well, the only way to be doing this effectively is to make it mandatory.

For the main repository, I think the other obs repos don't really need such a
level of integrity check

If we enforce this to be mandatory there will be quite an outcry, because
we did not do this before and it actually causes even more work.

How does this cause more work then
" You either trust the submitter, you review the tarball (or its diff) or
replace it with a known good one (from the original server)."
The first one is easiest, but might not fit everytime, reviewing tarball or
diff isn't something feasable, and just upping a knowing good one, well the
reviewer could have done that in the first place.

Another idea would be to display md5 / sha1 etc sums for all the files in osc
and web interface so people can quickly review manually where it makes sense
(as in: tarball used)

Also it does not address the issue here tarballs are taken from
SVN/GIT/etc checkouts.

Gah, right, but again you don't want to review the whole version?
People with higher credibility ranking could sign off the submit + hash sum?


PS: As Gerald lined out FreeBSD is doing that, Arch Linux is doing that as
well =)
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx

< Previous Next >