Linked by Thom Holwerda on Wed 16th Dec 2009 21:38 UTC, submitted by whorider
Privacy, Security, Encryption This news is already a week old, but it only got submitted to us today, and I didn't notice it all. As it turns out, two malicious software packages had been uploaded to, masquerading as valid .deb packages (a GNOME screensaver and theme, respectively).
Permalink for comment 400017
To read all comments associated with this story, please click here.
RE[2]: Bottom Line
by lemur2 on Thu 17th Dec 2009 00:42 UTC in reply to "RE: Bottom Line"
Member since:

This results in one tarball having to be packaged a whole bunch of times to reach most linux users.

Typically, this is handled by a division of responsibility.

A "project", such as KDE, will work on source code. They will typically use a source code management system (perhaps SVN or GIT), and they will have a community of developers, maintainers and testers etc, etc.

Once a project releases a new version, then the repositories take that source code, compile it for their given distribution with switches for their supported architecture(s) and directory structures, make sure it works against all of its dependencies at the version they are at in the distribution, and then if all is OK, package it (into a .deb or a .rpm or a .tgz or whatever that distribution uses) and include it in the repository storage area, and index the newly updated package in the repository index files.

There is one set of application developers, and one or more package maintainer at each distribution.

It isn't too onerous. It typically works well enough, even to the extent that it is possible to have one-man distributions.

Reply Parent Score: 3