ubuntu-phone team mailing list archive

Thread
Date

Click packages and source code

To: ubuntu-phone <ubuntu-phone@xxxxxxxxxxxxxxxxxxx>
From: Michael Zanetti <michael.zanetti@xxxxxxxxxxxxx>
Date: Tue, 13 Aug 2013 14:33:30 +0200
User-agent: KMail/4.11 rc2 (Linux/3.10.0-6-generic; KDE/4.10.97; x86_64; ; )

Hi,

I've just been watching this demo [1] on how to publish click packages. Looks 
very promising! However, one question that comes up here is at the uploading 
step (3:13 in the video):

The website allows to upload a binary package and a source package. However, I 
can't see any connection between those two. How can I be sure that the binary 
click package indeed contains an unmodified version of the uploaded source 
package? From what I can see here I could easily publish some source code and 
then build a malicious package containing some additional bad code.

Or will the uploaded binary click package be discarded and a new one built 
from the source in case the source is uploaded?

Thanks,
Michael

[1] http://www.youtube.com/watch?v=BjGAnV33GHU

Follow ups

Re: Click packages and source code
From: Sergio Schvezov, 2013-08-13