On Fri, Sep 16, 2011 at 6:43 AM, Miklos Vajna <[email protected]> wrote: > On Wed, Sep 14, 2011 at 02:07:02AM -0600, Marius Cirsta <[email protected]> > wrote: >> True but I don't really believe in coincidences that much. And it >> does sound very similar to what happened at kernel.org. Another >> concern I have here is are we sure they didn't alter anything on the >> build machines or something like that ? > > No package is being built on the compromised machine. > >> I don't want to be paranoid but there's a lot that can be done to >> compromise the repos and all ( compiler modification would be one >> thing ). I'm new around here and not really an expert but I'm just >> asking. > > No, that's normal, not paranoid at all. The trick is that we store the > sha1sums in the fdb files and there are daily backups of fdbs. So > modifying an fpm can't go unnoticed. > > About git, you can read up on "cryptographic authentication of history". > > _______________________________________________ > Frugalware-devel mailing list > [email protected] > http://frugalware.org/mailman/listinfo/frugalware-devel > >
I think that just about covers it, good to know we have such things covered. I've already read about git and I trust it's security. It's not that I don't trust Frugalware's, it's just that I had no info regarding that. Still, I find the attack to be strange and I think it's best to think of the worst case scenario. Yes, it could have been some scrip kiddie or something but then again it might have not. And even though FW is not the largest distro out there it still has plenty of users. Anyway good to know things are OK and there are safeguards in place. _______________________________________________ Frugalware-devel mailing list [email protected] http://frugalware.org/mailman/listinfo/frugalware-devel
