[Mageia-dev] Problem with missing signatures

Pascal Terjan pterjan at gmail.com
Sat Dec 29 20:11:36 CET 2012


On Sat, Dec 29, 2012 at 6:49 PM, Kamil Rytarowski <n54 at gmx.com> wrote:
> Hello!
>
> Could we add a trigger to prevent unsigned packages from being uploaded?
>
> I've faced again bunch of unsigned packages.. and when I was trying to
> rebuild plexus-i18n against missing signature, with bumping the release -
> the build system said it's already built with that version [1].
>
> How is it possible? I have checked the history of this package.. and it was
> never released as the version in the build system.
>
> Am I missing something? Was there an attack and a package injection?
>
> Kamil
>
> [1]
> http://svnweb.mageia.org/packages/cauldron/plexus-i18n/current/SPECS/plexus-i18n.spec?r1=268801&r2=335589

It seems someone manually uploaded the package on December 1st, after
building it on a machine named karamel, this seems to be dmorgan's
machine


More information about the Mageia-dev mailing list