Karna@lemmy.ml to Linux@lemmy.ml · 7 months agoOh Snap! Canonical now doing manual reviews for new packages due to scam appswww.gamingonlinux.comexternal-linkmessage-square23fedilinkarrow-up10arrow-down10
arrow-up10arrow-down1external-linkOh Snap! Canonical now doing manual reviews for new packages due to scam appswww.gamingonlinux.comKarna@lemmy.ml to Linux@lemmy.ml · 7 months agomessage-square23fedilink
minus-squaredelirious_owl@discuss.onlinelinkfedilinkarrow-up0·7 months agoWhy just now? Meanwhile, all Debian packages on their apt repos are reviewed and maintained by Debian.
minus-squareAChiTenshi@sh.itjust.workslinkfedilinkarrow-up0·7 months agoI would imagine the recent xz backdoor discovery spooked them a bit. So now they are going to check things. We shall see if it continues or not.
minus-squarePantherina@feddit.delinkfedilinkarrow-up0·7 months agoNo. They will likely still use release tarballs
minus-squarevanderbilt@lemmy.worldlinkfedilinkEnglisharrow-up0·7 months agoAnd MD5 for package integrity checking, and not using per-package PKI signatures.
minus-squarePantherina@feddit.delinkfedilinkarrow-up0·edit-27 months agoCough Fedora does that (using rpm-sequoia written in Rust) and also uses zst instead of xz for RPMs since Fedora 31
Why just now? Meanwhile, all Debian packages on their apt repos are reviewed and maintained by Debian.
I would imagine the recent xz backdoor discovery spooked them a bit. So now they are going to check things.
We shall see if it continues or not.
No. They will likely still use release tarballs
And MD5 for package integrity checking, and not using per-package PKI signatures.
Cough Fedora does that (using rpm-sequoia written in Rust) and also uses zst instead of xz for RPMs since Fedora 31