On 17.08.2007 17:50, Toshio Kuratomi wrote: > Thorsten Leemhuis wrote: > [...] > FESCO keeps discussing this [...] I got the impression that yesterdays FESCo meeting ended the discussion for next few months. I think that's really bad because it's *IMHO* (maybe I'm just being over carefully and to frightened here...) currently way to easy for a malicious attacker to get bad packages with bad code out to the users: - put a package up for review - get sponsored -- that's still the hardest parts, but not that hard if you reply to questions and advices from the reviewer quickly and poke the right people - watch mailing list and http://fedoraproject.org/wiki/Vacation for people being afk for longer time-periods - commit something bad to some well known packages which are (1) owned by folks being away and (2) without co-maintainers; hit CTRL+C quickly when cvs mentions that changes got commit -- if you are fast enough no commit mail will get send to the commits-list. Even if one gets send -- if you are a bit careful (e.g. upload a modified tarball with the malicious code) then chances are good none of those few people that take a closer look at some the commit-mails on cvs-extras-commits will notice something bad(¹) - for F6 and devel the bad code will get out to the repo on it's own soon and find its way to the users automatically. For F-7 you need to get it out through bodhi -- not sure if it checks if the one that pushes a package is owning it. If not then the attacker can push his trojan horse easily himself. Chances this get noticed will be small as well. I think it's just a matter of time until something similar to what I outlined above might happens (reminder, both gentoo and ubuntu had problems with attackers in the last couple of days). Giving all sponsors access by default instead of "all new packagers get access to all new packages and round about 2935 out of 4847 packages (counted only devel branches and I hope my counting method was correct)" would have been the way saner choice IMHO. CU knurd (¹) -- heck, I could even imagine ways where even the real owner might not notice changes (albeit that would depend on the way the real owner works) -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
