On Wed, Sep 14, 2011 at 02:07:02AM -0600, Marius Cirsta <[email protected]> wrote: > True but I don't really believe in coincidences that much. And it > does sound very similar to what happened at kernel.org. Another > concern I have here is are we sure they didn't alter anything on the > build machines or something like that ?
No package is being built on the compromised machine. > I don't want to be paranoid but there's a lot that can be done to > compromise the repos and all ( compiler modification would be one > thing ). I'm new around here and not really an expert but I'm just > asking. No, that's normal, not paranoid at all. The trick is that we store the sha1sums in the fdb files and there are daily backups of fdbs. So modifying an fpm can't go unnoticed. About git, you can read up on "cryptographic authentication of history".
pgpnzri9iGp5g.pgp
Description: PGP signature
_______________________________________________ Frugalware-devel mailing list [email protected] http://frugalware.org/mailman/listinfo/frugalware-devel
