Re: FAKE: Fedora Extras shipped popular package with rootkit and more than ten thousands systems were infected (was Re: Summary from last weeks FESCo meeting)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Paul P Komkoff Jr wrote:
Replying to Thorsten Leemhuis:
4. checkout some popular packages, upload new tarballs with a slightly
different names and a root-kit in it. Modify the "Source0" accordingly 5. commit the changes, hit "CTRL-C" at the right point of time so the
commit-message is not send to commits-list

Either I am wrong or this clearly shows a major flaw in current
infrastructure when any with commit access can modify anything in the
extras tree?


Flaw, more of a feature. I like the current openness of FE and I think we should be very carefull to not loose this openness.

I share Thl's worries, actually I kinda wisphered them into his ear, but I was wisphering because I didn't want my worries to lead to a discussion which in turn could lead to a much more closed FE. We're a community distro, trust is important if not vital!

I personally I'm trying to be carefull with whom I sponsor, checking for privious oss work, etc and monitoring every move they make for sometime after I sponsor them untill I'm comfortable that they can be trusted.

I think people who want to inject malware into OSS will always find a way, the fact that this currently hasn't happened much shows that we're appearantly a healty community and that the riscs of getting caught are big enough to scare people away.

Regards,

Hans

--
fedora-extras-list mailing list
fedora-extras-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-extras-list

[Index of Archives]     [Fedora General Discussion]     [Fedora Art]     [Fedora Docs]     [Fedora Package Review]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite Backpacking]     [KDE Users]

  Powered by Linux