On Wed, 2015-12-30 at 21:07 +0100, Björn Persson wrote:
> Kevin Fenzi wrote:
> > On Wed, 30 Dec 2015 19:38:35 +0100
> > Björn Persson wrote:
> > > Without commit access to Git the attacker couldn't edit the sources
> > > file, so – assuming that everything that uses the lookaside cache
> > > bothe
On Wed, 2015-12-30 at 20:09 +0100, Pierre-Yves Chibon wrote:
> On Wed, Dec 30, 2015 at 07:38:35PM +0100, Björn Persson wrote:
> > But still, why are we still using MD5?
>
> For the record bochecha has been leading the move away from md5 to
> sha, making the changes in such a way that it will give
Kevin Fenzi wrote:
> On Wed, 30 Dec 2015 19:38:35 +0100
> Björn Persson wrote:
> > Without commit access to Git the attacker couldn't edit the sources
> > file, so – assuming that everything that uses the lookaside cache
> > bothers to verify the checksum – the attacker would have to forge a
> > t
On Wed, Dec 30, 2015 at 07:38:35PM +0100, Björn Persson wrote:
> Tim Lauridsen wrote:
> > How do i handle a situation where someone, without my knowledge
> > uploads new sources to one of my projects. It could be a security
> > problem ?
>
> While I trust that Francesco had only good intentions, t
On Wed, 30 Dec 2015 19:38:35 +0100
Björn Persson wrote:
> Tim Lauridsen wrote:
> > How do i handle a situation where someone, without my knowledge
> > uploads new sources to one of my projects. It could be a security
> > problem ?
>
> While I trust that Francesco had only good intentions, the
Tim Lauridsen wrote:
> How do i handle a situation where someone, without my knowledge
> uploads new sources to one of my projects. It could be a security
> problem ?
While I trust that Francesco had only good intentions, the general
question remains: Is it possible to modify a package without com
