> On 17.08.2007 17:50, Toshio Kuratomi wrote: >> Thorsten Leemhuis wrote: >> [...] >> FESCO keeps discussing this [...] > > I got the impression that yesterdays FESCo meeting ended the discussion > for next few months. I think that's really bad because it's *IMHO* > (maybe I'm just being over carefully and to frightened here...) > currently way to easy for a malicious attacker to get bad packages with > bad code out to the users: > > - put a package up for review > - get sponsored -- that's still the hardest parts, but not that hard if > you reply to questions and advices from the reviewer quickly and poke > the right people > - watch mailing list and http://fedoraproject.org/wiki/Vacation for > people being afk for longer time-periods > - commit something bad to some well known packages which are (1) owned > by folks being away and (2) without co-maintainers; hit CTRL+C quickly > when cvs mentions that changes got commit -- if you are fast enough no > commit mail will get send to the commits-list. Even if one gets send -- > if you are a bit careful (e.g. upload a modified tarball with the > malicious code) then chances are good none of those few people that take > a closer look at some the commit-mails on cvs-extras-commits will notice > something bad(¹) > - for F6 and devel the bad code will get out to the repo on it's own > soon and find its way to the users automatically. For F-7 you need to > get it out through bodhi -- not sure if it checks if the one that pushes > a package is owning it. If not then the attacker can push his trojan > horse easily himself. Chances this get noticed will be small as well. I can confirm that at least in some cases Bodhi will allow non-owner updates. I do not maintain openarena, but I updated it this week at the maintainer's request/with his blessing. > I think it's just a matter of time until something similar to what I > outlined above might happens (reminder, both gentoo and ubuntu had > problems with attackers in the last couple of days). > > Giving all sponsors access by default instead of "all new packagers get > access to all new packages and round about 2935 out of 4847 packages > (counted only devel branches and I hope my counting method was correct)" > would have been the way saner choice IMHO. > > CU > knurd > > (¹) -- heck, I could even imagine ways where even the real owner might > not notice changes (albeit that would depend on the way the real owner > works) > > -- > fedora-devel-list mailing list > fedora-devel-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-devel-list > -- novus ordo absurdum -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
