Am Dienstag, den 16.05.2006, 19:24 +0200 schrieb Hans de Goede: > > Thorsten Leemhuis wrote: > > Am Dienstag, den 16.05.2006, 09:41 +0200 schrieb Thorsten Leemhuis: > >> Am Montag, den 15.05.2006, 13:14 -0500 schrieb Jason L Tibbitts III: > Sounds like a good plan, except for one thing: > -Assume I'm an evil bastard who wants to inject bad code into FE cvs > -I say I want to unorphan a (few) package(s) and get sponsered > -I update them (I've choosen easy ones) and request builds, sponsor is > happy > -In the mean time I also use my CVS access to inject some malwhere in a > couple of much used often released packages. I circumvent the CVS > change mails (yes thats possible, just hit ctrl-C at the right moment) > -After some time the packages get build for one reason or another by > their actual owner with my malware included. > <OOPS> But why use orphan package as the entry point to get CVS access to Extras to "inject some malwhere"? You can have CVS access already nearly just as easy: Just package something, get it approved and get yourself sponsored. That not that more difficult. > Then again I even have worries about this happening oneday with the > current process. [...] Yeah, we might have grown so far that we need to limit access in CVS a bit more. We probably need to "add layers of control and management and procedures" to make everything more safe. CU thl -- Thorsten Leemhuis <fedora@xxxxxxxxxxxxx> -- fedora-extras-list mailing list fedora-extras-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-extras-list
