On Wed, Feb 07, 2007 at 09:51:04AM -0500, Jesse Keating wrote: > > going through the process to create their _own_ account. Once that has been > done ( and we keep wanting to LOWER the barrier for this!! ), if there are no I don't think we should lower the barrier. On the contrary, I think that we should be very cautious when sponsoring people -- although I don't think that the main reason why we should be cautious is security, but rather long-term involvment and the burden a contributor leave behind when leaving. Also we should always try to be able to identify the real person behind the fedora contributor. That way the contributor may be blamed in case of bad things done on purpose. > barriers in place, that person can now run roughshod all over all the > packages, making any changes they want, building anything they want, causing > automated pushes to push out whatever they built, leading to people grabbing > packages and getting rooted, or even worse, insert some small thing in a > package that gets pulled into most buildroots that will further taint any > more builds. Could be hard to detect until it is far far too late. Of course it will always be hard to check everything, but currently (and for extras, with core it may not be possible anymore) it is possible to keep an eye on the cvs commits, and on the build report for a range of packages we are interested in and verify that everything is right. (as a side note, I think that what is missing is a check of the checksum against what can be downloaded from the net, for packages that have a real Source on the net). > With > proper barriers in place, the most damage a rouge user can do is to their own > package, or to any packages foolishly left wide open. I don't like "foolishly". There are packages that have reasons to be closed, especially those that are frequently in the buildroot, there are also packages that don't have that much security requirements, or a maintainer reactive enough to track everything that happens to the package. Closing packages also has a cost. -- Pat -- Fedora-maintainers mailing list Fedora-maintainers@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-maintainers -- Fedora-maintainers-readonly mailing list Fedora-maintainers-readonly@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-maintainers-readonly
