OpenSSH 3.4p1 - compilation problem on Linux
Craig Emery
craig.emery at 3glab.com
Thu Jun 27 23:48:53 EST 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hiya,
One of the other "issues" I came across with building RPMs was that I
couldn't just do
% rpm -tb SOURCES/openssh-3.4p1.tar.gz
because the .spec file that was found was *not* the
openssh-3.4p1/contrib/redhat/openssh.spec one. :-(
I haven't checked but I guess rpm "grabs" the first one it finds in a
tarball (which would have been openssh-3.4p1/contrib/caldera/openssh.spec).
Now you may say "if a user can do rpm -tb ... they can figure this out"
but this made me scratch my head for a while & I maintain RPMs for two
SF.net projects.
On the general note of who to trust binaries from, you're right. All the
signature on the binaries I've produced proves is that *I'm* the guy who
built it. It speaks naught to how trustable I am! :-)
Now a process where people submit themselves to some kind of scrutiny
(presumably to DJM as it's his key we're all trusting for the tarballs),
& get their public keys a degree of "trust" might be a good start.
Just my $0.02. :-)
Craig.
Christian Vogel wrote:
> Hi,
>
>
>>I've just sucessfully build RedHat 7.2 RPMs.
>
>
> The question is if it is wise to grab such security
> sensitive things like the ssh-server from just somewhere...?
>
> On the other hand it should be made very easy for people
> to upgrade, and maybe some people don't want to rpm -ba/--rebuild
> or don't even hava a compiler on their web/dns/... server?
>
> Is there some official policy encouraging<sp?> people
> to contrinute binaries... or to refrain from it?
>
> Chris
> (who just built RH7.1 i386.rpms... :-) )
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE9GxfFBIRM2chQkvERAo3CAKD7cXPOZ7oAS0tOWaIyvaz89XnskgCfYXfe
8l+yHWSEeAe2rIMig8VgpzQ=
=FxK5
-----END PGP SIGNATURE-----
More information about the openssh-unix-dev
mailing list