Process Change: Package Reviews with Flags
Jesse Keating
jkeating at redhat.com
Wed Feb 7 00:34:49 UTC 2007
On Tuesday 06 February 2007 19:24, Dominik 'Rathann' Mierzejewski wrote:
> And we had... how many incidents with people making themselves owners
> of others' packages, exactly? AFAIR the problem was mostly with people
> forgetting to add themselves to that file after importing a package.
>
> I'm not convinced this is a necessary change.
It is not a matter of what HAS been done, it's a matter of what _could_ be
done. You don't lock the door to your house because somebody has already
broken in, you lock it to prevent somebody from breaking in. Other people
HAVE broken into other distributions and caused problems. This is closing a
hole and narrowing the potential effect.
Nothing stops a rouge user from going through the review process for some
innoculous piece of software, just to get CVS access, then changing ownership
of say kernel, or gcc, or glibc, building something that will infect users
and pushing it out, all because our system was open enough to let them.
This is a very real concern, especially with the hype and media coverage the
merger is bringing. I'd rather not sheepishly implement security after the
fact when we can easily do it before the fact.
--
Jesse Keating
Release Engineer: Fedora
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-maintainers/attachments/20070206/d7bf7436/attachment.sig>
More information about the Fedora-maintainers
mailing list