Re: new features in package CVS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 1/31/07, Alan Cox <alan@xxxxxxxxxx> wrote:
On Wed, Jan 31, 2007 at 08:46:47AM +0100, Hans de Goede wrote:
> touched in a harmfull way. Just because someone is a beginning packager
> doesn't mean that he will start submitting random changes to other
> peoples packages.

Your risk model is wrong. One of your beginning programmers (probably a beginner
but it could be any of us) gets trojanned. The attacker then inserts a worm
into the autoconf scripts for that package which goes around committing itself
to other packages while infecting anyone who builds the package and adding
backdoors to their machines

Within a couple of days you'll have chaos.

If users can only touch packages they have access to then the ability for this
kind of attack drops dramatically and its more likely to be picked up early.


And people *WILL* try this sort of stuff because the prize (breaking into the
Red Hat internal network) is so high

Riiiiiiiiiiiiiiiight.

And people at redhat are completely immune to such attacks while the
extra packagers are so nieve that it is very likely to happen once we
open up the core cvs.

I'm sorry, but this part of the discussion just seems completely
laughable to me.

--
Fedora-maintainers mailing list
Fedora-maintainers@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-maintainers

--
Fedora-maintainers-readonly mailing list
Fedora-maintainers-readonly@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-maintainers-readonly

[Index of Archives]     [Fedora Users]     [Fedora Development]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux