On Sat, Dec 29, 2012 at 6:49 PM, Kamil Rytarowski <[email protected]> wrote: > Hello! > > Could we add a trigger to prevent unsigned packages from being uploaded? > > I've faced again bunch of unsigned packages.. and when I was trying to > rebuild plexus-i18n against missing signature, with bumping the release - > the build system said it's already built with that version [1]. > > How is it possible? I have checked the history of this package.. and it was > never released as the version in the build system. > > Am I missing something? Was there an attack and a package injection? > > Kamil > > [1] > http://svnweb.mageia.org/packages/cauldron/plexus-i18n/current/SPECS/plexus-i18n.spec?r1=268801&r2=335589
It seems someone manually uploaded the package on December 1st, after building it on a machine named karamel, this seems to be dmorgan's machine
