Re: FAKE: Fedora Extras shipped popular package with rootkit and more than ten thousands systems were infected (was Re: Summary from last weeks FESCo meeting)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Nicolas Mailhot wrote:
> Hi,
> 
> You don't need complex ACL features to make the current system a lot
> more secure. Just :
> - ironclad the mail sending on commit
> - systematically send a copy of the commit message to the list of
> maintainers associated with a package (most maintainers do not have time
> to follow the full FE commit list)
> - when a package build is requested, send a magic cookie to all the
> associated maintainers and the security team and do not push the build
> till the cookie is returned by mail by one of them
> - setup a webscm somewhere and automatically create user profiles which
> include history views of all the packages associated with each
> individual FE member.
> 
> Because, you know, if we make sure everything which happens is
> communicated to the right people before the result is pushed to users
> there is absolutely no need to protect against malicious users. Besides
> re-reading their changes this will help maintainers catch their own
> honest mistakes.
> 
> 

Very very good idea! + a zillion.

One note though:
> - systematically send a copy of the commit message to the list of
> maintainers associated with a package (most maintainers do not have time
> to follow the full FE commit list)

I thinks this should include the sponsor too (for a sponsor configurable
amount of time from the sponsering).

Regards,

Hans

-- 
fedora-extras-list mailing list
fedora-extras-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-extras-list

[Index of Archives]     [Fedora General Discussion]     [Fedora Art]     [Fedora Docs]     [Fedora Package Review]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite Backpacking]     [KDE Users]

  Powered by Linux