The release manager (RM) - creates a binary from his copy of source. - Generates a checksum key to allow validation of no tampering of the RM's build.
The RM could insert malicious code into the build. If that were to happen - the RM would probably be kicked out of the project in a hurry.
Its not valid to trust a source release download either. Its easy to tamper with the source just as it is the binary. But having the source at this point does allow for easy audits.
If you are really paranoid - build your binary from the appropriate TAG would be safest since you are getting the original source - not repackaged versions.
-Tim Mark Claassen wrote:
My boss has implemented some new procedures with regard to open source projects. He believes the source distributions are trustworthy, but he is not sure if he trusts the binary distributions. I think the reasoning is that he is uncertain if the binary distributions are controlled as well as the source ones are. And if they are not, someone could inject some malicious code to expose customer data or something. Can someone give me a brief explanation on how the binary distributions are created for 5.5? Are the binary distributions created automatically from the repository, leaving no chance for nefarious tampering?
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
