First, prior to the meat of this post, I'm going to give some background since not all readers of the planet are packagers :)
For those that might not be familiar with our packaging environment in Fedora, our spec files, patches, and other small type things are stored in CVS. Since CVS is not suited to storing large binary blobs (read: source tarballs), there is something that sits alongside CVS called the lookaside cache, which is used to store these things. When they are required by koji, the buildsystem, it goes to get the source from the lookaside cache, all the applicable patches and spec files from CVS, and builds a SRPM which finally gets built into binary RPM's.
Up until yesterday, this lookaside cache was a big black box to Fedora packagers. There was no notification provided that a file was uploaded to it. This presented a minor, but plausible, security issue for our packaging process whereby a rogue individual could upload a doctored tarball of the next upstream release of a package, with an identical md5sum to the upstream version, and no one would ever know (if an identically named file with an identical md5sum exists in the lookaside cache, no upload is done). With this new enhancement, the package owner will be notified, and can take corrective action if he finds it necessary.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=8431fdb1-0760-4f65-9ab3-204ad251dab3)
For those that might not be familiar with our packaging environment in Fedora, our spec files, patches, and other small type things are stored in CVS. Since CVS is not suited to storing large binary blobs (read: source tarballs), there is something that sits alongside CVS called the lookaside cache, which is used to store these things. When they are required by koji, the buildsystem, it goes to get the source from the lookaside cache, all the applicable patches and spec files from CVS, and builds a SRPM which finally gets built into binary RPM's.
Up until yesterday, this lookaside cache was a big black box to Fedora packagers. There was no notification provided that a file was uploaded to it. This presented a minor, but plausible, security issue for our packaging process whereby a rogue individual could upload a doctored tarball of the next upstream release of a package, with an identical md5sum to the upstream version, and no one would ever know (if an identically named file with an identical md5sum exists in the lookaside cache, no upload is done). With this new enhancement, the package owner will be notified, and can take corrective action if he finds it necessary.
Leave a comment