Jesse Keating wrote:
On Wed, 05 Dec 2007 09:29:41 -0500
John Dennis <jdennis@xxxxxxxxxx> wrote:
Linux has been mostly immune to malware. For anyone writing malware
one of the challenges is propagating the infected code.
So lets not give bad folks the perfect vehicle for distributing their
malware through an official update channel which automatically gets
pushed to tens of thousands of machines with the implication of being
clean software. Such an event would be devastating to the entire open
source community.
If one doesn't think this is going to happen or you think the
ultimate consequences for open source adoption would be benign then I
have a bridge I'd like to sell you.
Also, if you think the bar to getting a Fedora account is so high as
to make this unlikely then you've forgotten that anyone with enough
software savvy to write malware would view that hurdle as a house of
straw.
If you think there aren't plenty of folks the world over just waiting
for their 15 minutes of hacker fame or who have a desire to teach
RedHat/Fedora a lesson then I can offer you a discount on that bridge.
Do we need a better mechanism for accepting contributions from the
community, probably. Are open commit lists the answer, no.
If you think the problem would be mitigated by package maintainers
rigorously reviewing all changes *after* they've been committed
you're forgetting human nature and the fact most maintainers are over
worked to begin with. By extension if you demand maintainers review
every commit then how is that effectively different than the current
process of posting a patch in a bugzilla and asking the maintainer to
review it before committing it?
And if you think we're the first Linux distro of any size to have wider
access to our software source control you're also mistaken. We're not
paving new ground here.
Debian has NMUs which allow for a Debian maintainer other than the
package owner to upload new builds of a package for various reasons:
http://www.us.debian.org/doc/developers-reference/ch-pkgs.en.html#s-nmu
Only Debian Developers can do NMUs. Last I checked the process of
becoming a Debian Developer was roughly an order of magnitude more
rigorous than ours (and possibly to the extent of being beyond reason).
Can't comment on the rest of the distros.
Zack
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list