Gustavo De Nardin (spuk) a écrit :
> * Guillaume Rousse <Guillaume.Rousse@(protected)]:
>> Gustavo De Nardin (spuk) a écrit :
>>> What was the reasoning on shipping a development version of GNUtls in
>>> 2008.1?
>> I was unaware this was a devel version.
>
> Was this an automatic upgrade done via mdvsys?
If you mean the decision to update it to this version, no, I don't trust
automated tools for such purposes on software I don't know enough. And
if you mean the process of updating the spec file once the decision
taken, also not, as it would not have removed automatically a missing
source.

>>> And...
>>> * Seg Fev 18 2008 Guillaume Rousse <guillomovitch@(protected)>
>>> 2.3.0-1mdv2008.1
>>> + Revision: 171614
>>> - new version
>>> drop signature file from sources (missing from mirrors)
>>>
>>> So if you can't find a signature file, and thus can't verify the origin and
>>> integrity of a very important security library, you just drop the
>>> signature?
>>> What is the logic on that?
>> I guess was more interested in upgrading the package than in the
>> presence of a unused optional file in the package.
>
> It doesn't matter if the file was unused here, one doesn't upgrade a
> security sensitive package to a non-verified version. The presence of the
> signature should be enough of a hint.
That has never been advertised before. And the presence of a signature
file in the package usually depends more of the availability of it from
upstream developers than from an explicit decision to label the package
as 'security sensitive'.

--
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62