On 2017-09-25, Hedayat Vatankhah <hedayat....@gmail.com> wrote: > /*Pierre-yves Chibon*/ wrote on Mon, 25 Sep 2017 09:38:39 +0200: >> It's an interesting idea but then it would become quite hard to check >> if there is a mitm attack of some sort. With the current process, at >> least the packager has the possibility to check the sources locally >> before uploading them into Fedora. >> The solution would be to provide the sha + the url and let the down >> be server side but that won't save you from downloading the sources >> locally first. > Yes, but even if I'm forced to download locally, it is much better than > being forced to upload it again. (Also, note that the current process > doesn't prevent MITM if it happens when I download the source).
A packager is responsible for reviewing the code before uploading it to the Fedora infrastructure. It does not mattter whether the code matches what upstream released. Actually in some cases the code is intentionally changed by the packagers (e.g. when removing bad-licensed code). In other words Fedora does not care about MITM between the upstream and the packager. What matters is connection between the packager and Fedora. That does not mean the packager should not be concerned by MITM on him or upstream. It just cannot to be Fedora's business. -- Petr _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
