Re: new features in package CVS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2007-01-31 at 08:15 -0500, Alan Cox wrote:
> On Wed, Jan 31, 2007 at 08:46:47AM +0100, Hans de Goede wrote:
> > touched in a harmfull way. Just because someone is a beginning packager 
> > doesn't mean that he will start submitting random changes to other 
> > peoples packages.
> 
> Your risk model is wrong. One of your beginning programmers (probably a beginner
> but it could be any of us) gets trojanned. The attacker then inserts a worm
> into the autoconf scripts for that package which goes around committing itself
> to other packages while infecting anyone who builds the package and adding
> backdoors to their machines
> 
> Within a couple of days you'll have chaos.
> 
> If users can only touch packages they have access to then the ability for this
> kind of attack drops dramatically and its more likely to be picked up early.

I don't see this. We all signed the CLI, we all log in through ssl, the
VCS will log all changes, so everybody committing something already
should be traceable.

Whether somebody deliberately/non-deliberately places a trojan into a
package not owned by him or owned by somebody else, or imports an
infected tarball, doesn't make much of a difference.

> And people *WILL* try this sort of stuff because the prize (breaking into the
> Red Hat internal network) is so high

The only thing that really changes with a merged Core/Extras is the
impact infecting a central package, which nowadays is in Core would
have, would likely be larger.

E.g. a thief having stolen a Fedora maintainers's notebook or somebody
having intruded into a system with his "secret ssl keys, passwd, etc."
will find 2000-3000 packages more, he can place his malware on, than he
could do until now.

But .. isn't the likelihood of somebody intruding a Fedora mirror and
placing malicious packages there, much larger?

Ralf


--
Fedora-maintainers mailing list
Fedora-maintainers@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-maintainers

--
Fedora-maintainers-readonly mailing list
Fedora-maintainers-readonly@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-maintainers-readonly

[Index of Archives]     [Fedora Users]     [Fedora Development]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux