On Wed, Jan 31, 2007 at 08:46:47AM +0100, Hans de Goede wrote: > touched in a harmfull way. Just because someone is a beginning packager > doesn't mean that he will start submitting random changes to other > peoples packages. Your risk model is wrong. One of your beginning programmers (probably a beginner but it could be any of us) gets trojanned. The attacker then inserts a worm into the autoconf scripts for that package which goes around committing itself to other packages while infecting anyone who builds the package and adding backdoors to their machines Within a couple of days you'll have chaos. If users can only touch packages they have access to then the ability for this kind of attack drops dramatically and its more likely to be picked up early. And people *WILL* try this sort of stuff because the prize (breaking into the Red Hat internal network) is so high Alan -- Fedora-maintainers mailing list Fedora-maintainers@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-maintainers -- Fedora-maintainers-readonly mailing list Fedora-maintainers-readonly@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-maintainers-readonly
