On 6/1/06, Thorsten Leemhuis <fedora@xxxxxxxxxxxxx> wrote:
What makes your sure that "most of us" do it like that? I for example don't have them because I work on my packages from multiple machines. So I always do a fresh checkout (that way I always get a up2date common directory, too).
Then maybe YOUR practices should be questioned, not everyone's. If you don't zealously track CVS commits to your packages, then you are the broken part, not the system.
And in any case: "- instead of "6.": build the modified packages yourself -- chances are quite low that somebody will notice it" remains.
You can check out my packages, trojan them, cvs commit them, and build them. They will get signed and get released. However, since I follow the new releases for Extras, I will quickly notice that something went wrong, and perform the needed steps to pull it. 1. Yes, you will succeed in trojaning my packages for a brief while 2. This won't take very long to get noticed 3. You will be dealt with accordingly -- most likely involving the police/fbi/etc We are not working in a fully anonymous environment -- there is a certain level of trust between the members of the Extras packaging community. Getting CVS commit access requires certain steps that usually weed out your regular pranksters (including sending a signed fax to RH HQ), and if you are totally hell-bent on poisoning the system, then there's little we can do short of making the process even more arduous and slow for everyone who wants to participate. In any case, this isn't a contingency we should really be spending that much time over, short of potentially developing a system of ACLs that would restrict CVS commits only to the actual package owners. We can safely assume that as time passes, the chances of having a trojaned package in Extras approacheth 100%. Therefore, instead of hand-wringing and self-flagellating, let's work out a coarse of actions to take if someone, indeed, manages to sneak through a trojaned package. Regards, -- Konstantin Ryabitsev Montréal, Québec -- fedora-extras-list mailing list fedora-extras-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-extras-list
