On Wed, 2007-01-31 at 11:01 -0500, Alan Cox wrote: > On Wed, Jan 31, 2007 at 04:53:18PM +0100, Ralf Corsepius wrote: > > I don't see this. We all signed the CLI, we all log in through ssl, the > > VCS will log all changes, so everybody committing something already > > should be traceable. > > Which is frequently too late. Yes, but do acls change something anything about this? Except that a maintainer won't be able to place a trojan into your packages, he still could place them into his. The end result would be the same: He would have infected Fedora and he would be traced down the same way. > > Whether somebody deliberately/non-deliberately places a trojan into a > > package not owned by him or owned by somebody else, or imports an > > infected tarball, doesn't make much of a difference. > > The import tar ball is watched by a lot more people in a lot more places. Really? Does anybody verify the tarballs a maintainer submitted against those on an external site - post-review? Many packages even don't have an upstream, or their upstream is hidden in a VCS and therefore are not really monitored. Does anybody check the patches inside of the look-a-side cache (They are invisible on fedora-commits, the list that nobody reads ;) )? Ralf -- Fedora-maintainers mailing list Fedora-maintainers@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-maintainers -- Fedora-maintainers-readonly mailing list Fedora-maintainers-readonly@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-maintainers-readonly
