On Tue, 5 Jul 2011, Misha Shnurapet wrote: >> The backdoor payload is interesting. In response to a :) smiley face in the >> FTP username, a TCP callback shell is attempted. > >> There is no obfuscation. > > I have a question: how does that relate to our package building process, and > are GPG signatures verified?
For Fedora, package maintainers are responsible for uploading verified tar balls to the fedora build system. I know I check the gpg signatures on the ones I upload, though these are not always available as separate sig files. It would be nice if we could upload/commit the .asc or .sig file, and have the rpmbuild script automatically check the tar ball. Paul -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
