On 10/31/2016 02:12 PM, Florian Weimer wrote:
On 10/31/2016 02:01 PM, Pavel Raiskup wrote:
> On Monday, October 31, 2016 1:45:22 PM CET Florian Weimer wrote:
>> On 10/26/2016 02:45 PM, Pavel Raiskup wrote:
>>> On Wednesday, October 26, 2016 1:33:34 PM CEST Florian Weimer wrote:
>>>> Debian does not build from SCM, but directly from maintainer-uploaded
>>>> source packages, so there is no need to have a private SCM.
>>>
>>> Do we have a good marketing for the fact that we are that
"superior"
>>> compared to Debian then? Sounds like a main thing for for distro
>>> comparison
>>> article: It sounds like this is much, *much* more difficult to get
>>> malicious
>>> software into distribution (without noticing) for Fedora packager
>>> than for
>>> Debian packager, right?
>>
>> You need people to actually look at stuff that's being uploaded. I
>> don't think there is a key difference between Fedora and Debian as far
>> as this aspect is concerned. D
>>
>> In addition, Koji likely allows you to create tagged builds which came
>> from SRPMs, so I don't think there is an actually difference here in
>> terms of attack surface (at least not in Fedora's favor).
>
> Do you mean that this is allowed by policy or that this is "implemented"?
I don't think Koji implements the necessary build provenience checks to
implement a different policy.
I'm wrong, Koji handles this. Thanks to Kevin for point this out to me.
Florian