On Tuesday 06 February 2007 19:24, Dominik 'Rathann' Mierzejewski wrote: > And we had... how many incidents with people making themselves owners > of others' packages, exactly? AFAIR the problem was mostly with people > forgetting to add themselves to that file after importing a package. > > I'm not convinced this is a necessary change. It is not a matter of what HAS been done, it's a matter of what _could_ be done. You don't lock the door to your house because somebody has already broken in, you lock it to prevent somebody from breaking in. Other people HAVE broken into other distributions and caused problems. This is closing a hole and narrowing the potential effect. Nothing stops a rouge user from going through the review process for some innoculous piece of software, just to get CVS access, then changing ownership of say kernel, or gcc, or glibc, building something that will infect users and pushing it out, all because our system was open enough to let them. This is a very real concern, especially with the hype and media coverage the merger is bringing. I'd rather not sheepishly implement security after the fact when we can easily do it before the fact. -- Jesse Keating Release Engineer: Fedora
Attachment:
pgpjq3aJ3k1IK.pgp
Description: PGP signature
-- Fedora-maintainers mailing list Fedora-maintainers@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-maintainers
-- Fedora-maintainers-readonly mailing list Fedora-maintainers-readonly@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-maintainers-readonly
