Paul P Komkoff Jr wrote:
Replying to Thorsten Leemhuis:
4. checkout some popular packages, upload new tarballs with a slightly
different names and a root-kit in it. Modify the "Source0" accordingly
5. commit the changes, hit "CTRL-C" at the right point of time so the
commit-message is not send to commits-list
Either I am wrong or this clearly shows a major flaw in current
infrastructure when any with commit access can modify anything in the
extras tree?
Flaw, more of a feature. I like the current openness of FE and I think
we should be very carefull to not loose this openness.
I share Thl's worries, actually I kinda wisphered them into his ear, but
I was wisphering because I didn't want my worries to lead to a
discussion which in turn could lead to a much more closed FE. We're a
community distro, trust is important if not vital!
I personally I'm trying to be carefull with whom I sponsor, checking for
privious oss work, etc and monitoring every move they make for sometime
after I sponsor them untill I'm comfortable that they can be trusted.
I think people who want to inject malware into OSS will always find a
way, the fact that this currently hasn't happened much shows that we're
appearantly a healty community and that the riscs of getting caught are
big enough to scare people away.
Regards,
Hans
--
fedora-extras-list mailing list
fedora-extras-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-extras-list
