On Wednesday 07 February 2007 07:54, Roozbeh Pournader wrote: > These rants are of course relevant only because I was the person whose > laptop with the SSH keys was stolen, which could theoretically be used > to find a way into the Extras system. The keys were of course password > protected and I reported the situation to Fedora people as soon as > possible on IRC, by email, and every other way I thought before a brute > force could be used to find the passwords, but if we want to think about > all the possible scenarios, a targeted attack could even have used my > collaboration. > > Theoretically, someone may still use physical force on me and get me to > type my password and insert whatever code he sees appropriate where he > wishes. Do I value the security of Fedora users more than my life or my > family's? Definitely not! it is not so much about somebody stealing your account, it's about somebody going through the process to create their _own_ account. Once that has been done ( and we keep wanting to LOWER the barrier for this!! ), if there are no barriers in place, that person can now run roughshod all over all the packages, making any changes they want, building anything they want, causing automated pushes to push out whatever they built, leading to people grabbing packages and getting rooted, or even worse, insert some small thing in a package that gets pulled into most buildroots that will further taint any more builds. Could be hard to detect until it is far far too late. With proper barriers in place, the most damage a rouge user can do is to their own package, or to any packages foolishly left wide open. -- Jesse Keating Release Engineer: Fedora
Attachment:
pgpfotcoFCPUq.pgp
Description: PGP signature
-- Fedora-maintainers mailing list Fedora-maintainers@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-maintainers
-- Fedora-maintainers-readonly mailing list Fedora-maintainers-readonly@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-maintainers-readonly
