On 1/31/07, Alan Cox <alan@xxxxxxxxxx> wrote:
On Wed, Jan 31, 2007 at 08:46:47AM +0100, Hans de Goede wrote: > touched in a harmfull way. Just because someone is a beginning packager > doesn't mean that he will start submitting random changes to other > peoples packages. Your risk model is wrong. One of your beginning programmers (probably a beginner but it could be any of us) gets trojanned. The attacker then inserts a worm into the autoconf scripts for that package which goes around committing itself to other packages while infecting anyone who builds the package and adding backdoors to their machines Within a couple of days you'll have chaos. If users can only touch packages they have access to then the ability for this kind of attack drops dramatically and its more likely to be picked up early. And people *WILL* try this sort of stuff because the prize (breaking into the Red Hat internal network) is so high
Riiiiiiiiiiiiiiiight. And people at redhat are completely immune to such attacks while the extra packagers are so nieve that it is very likely to happen once we open up the core cvs. I'm sorry, but this part of the discussion just seems completely laughable to me. -- Fedora-maintainers mailing list Fedora-maintainers@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-maintainers -- Fedora-maintainers-readonly mailing list Fedora-maintainers-readonly@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-maintainers-readonly
