Re: security of the lookaside cache (was: frafra uploaded yumex-dnf-4.1.6.tar.gz for yumex-dnf)

On Wed, 2015-12-30 at 20:09 +0100, Pierre-Yves Chibon wrote: > On Wed, Dec 30, 2015 at 07:38:35PM +0100, Björn Persson wrote: > > But still, why are we still using MD5? > > For the record bochecha has been leading the move away from md5 to > sha, making the changes in such a way that it will give

Re: Firefox build?

Neal Gompa gmail.com> writes: > Is there a simple way to test if the issue is a problem on Fedora? I > don't even know of any sites with TLS 1.2 using MD5 signatures, > especially when Chrome "broke" signatures that weren't SHA-256 or > better for SSLv3 and stronger a year ago... I guess one can

Re: security of the lookaside cache

Kevin Fenzi wrote: > On Wed, 30 Dec 2015 19:38:35 +0100 > Björn Persson wrote: > > Without commit access to Git the attacker couldn't edit the sources > > file, so – assuming that everything that uses the lookaside cache > > bothers to verify the checksum – the attacker would have to forge a > > t

Re: security of the lookaside cache (was: frafra uploaded yumex-dnf-4.1.6.tar.gz for yumex-dnf)

On Wed, Dec 30, 2015 at 07:38:35PM +0100, Björn Persson wrote: > Tim Lauridsen wrote: > > How do i handle a situation where someone, without my knowledge > > uploads new sources to one of my projects. It could be a security > > problem ? > > While I trust that Francesco had only good intentions, t

Re: security of the lookaside cache (was: frafra uploaded yumex-dnf-4.1.6.tar.gz for yumex-dnf)

On Wed, 30 Dec 2015 19:38:35 +0100 Björn Persson wrote: > Tim Lauridsen wrote: > > How do i handle a situation where someone, without my knowledge > > uploads new sources to one of my projects. It could be a security > > problem ? > > While I trust that Francesco had only good intentions, the

security of the lookaside cache (was: frafra uploaded yumex-dnf-4.1.6.tar.gz for yumex-dnf)

Tim Lauridsen wrote: > How do i handle a situation where someone, without my knowledge > uploads new sources to one of my projects. It could be a security > problem ? While I trust that Francesco had only good intentions, the general question remains: Is it possible to modify a package without com

Fedora Rawhide 20151230 compose check report

Missing expected images: Cloud_atomic disk raw x86_64 No images in this compose but not Rawhide 20151229 Images in Rawhide 20151229 but not this: Mate live i386 Failed openQA tests: 3 of 61 ID: 2023Test: i386 kde_live default_install URL: https://openqa.fedoraproject.org/tests/2023 ID

Re: Fwd: frafra uploaded yumex-dnf-4.1.6.tar.gz for yumex-dnf

> How do i handle a situation where someone, without my knowledge uploads > new sources to one of my projects. It could be a security problem ? Sorry Tim and sorry everyone for this false alarm. I was playing with fedpkg and I realized I could upload new sources; I thought I could provide a comp

rawhide report: 20151230 changes

Compose started at Wed Dec 30 05:15:02 UTC 2015 Broken deps for i386 -- [IQmol] IQmol-2.3.0-9.fc24.i686 requires libboost_serialization.so.1.58.0 IQmol-2.3.0-9.fc24.i686 requires libboost_iostreams.so.1.58.0 IQmol-2.3.0

Re: frafra uploaded yumex-dnf-4.1.6.tar.gz for yumex-dnf

On Tue, 29 Dec 2015 21:15:12 -0700, Orion Poplawski wrote: > On 12/28/2015 02:35 AM, Tim Lauridsen wrote: > > How do i handle a situation where someone, without my knowledge uploads > > new sources to one of my projects. It could be a security problem ? > > > > Tim > > Email the person and ask