Warren Togami wrote: > fedora.us and I believe Legacy should REFUSE to publish anything that > has not been thoroughly checked by more than one trusted person. This > is especially important for Legacy because far fewer people would be > doing quality assurance and real world testing.
Another emphatic YES from me. If we expect people to trust us for security patches, we must provide them with some assurance that a) the fix works, and b) it does not contain malicious code. Neither of these determinations should be left up to a single person, and CERTAINLY not to the person who submits the patch.
I imagine the other Fedora developers are planning to address this problem, since they also have to distribute code supplied by their semi-anonymous developer community. Does anyone know how they plan to handle things?
David
-- David J. Bianco, GSEC GCUX GCIH <bianco@xxxxxxxx> Thomas Jefferson National Accelerator Facility GPG Fingerprint: 516A B80D AAB3 1617 A340 227A 723B BFBE B395 33BA
The views expressed herein are solely those of the author and not those of SURA/Jefferson Lab or the US DOE.
