Re: new features in package CVS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jan 31, 2007 at 08:15:41AM -0500, Alan Cox wrote:
> On Wed, Jan 31, 2007 at 08:46:47AM +0100, Hans de Goede wrote:
> > touched in a harmfull way. Just because someone is a beginning packager 
> > doesn't mean that he will start submitting random changes to other 
> > peoples packages.
> 
> Your risk model is wrong. One of your beginning programmers (probably a beginner
> but it could be any of us) gets trojanned. The attacker then inserts a worm
> into the autoconf scripts for that package which goes around committing itself
> to other packages while infecting anyone who builds the package and adding
> backdoors to their machines

That could happen to anybody, and I don't think that it is a practical
attack. In mock, packages are built in a chroot and not by root. We look 
(or should look) at the commit list for packages we are interested in. 
Trojaned packages would only hurt those who rebuild packages without 
looking at the import. In my opinion, and I still may be wrong, 
most of the fedora contributors are experienced and less prone to be 
hurt by trojans than other people. And lastly I believe is that 
upstream sources at least as prone as this kind of attack than a
fedora without ACLs on CVS.

Of course there is still more risks without ACLs on cvs, but I think
that in the balance of risk versus practicability, having something open
is better. For gcc, kernel, libc, maybe perl and python, sure there
could be ACLs, for more collaborative stuff, especially what comes from 
fedora extras, I think it is better to keep things open.

--
Pat

--
Fedora-maintainers mailing list
Fedora-maintainers@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-maintainers

--
Fedora-maintainers-readonly mailing list
Fedora-maintainers-readonly@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-maintainers-readonly

[Index of Archives]     [Fedora Users]     [Fedora Development]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux