permissions in cvs and security for our packages (Re: Plan for tomorrows (20070816) FESCO meeting)

Jon Ciesla limb at
Fri Aug 17 17:06:50 UTC 2007

> On 17.08.2007 17:50, Toshio Kuratomi wrote:
>> Thorsten Leemhuis wrote:
>> [...]
>> FESCO keeps discussing this [...]
> I got the impression that yesterdays FESCo meeting ended the discussion
> for next few months. I think that's really bad because it's *IMHO*
> (maybe I'm just being over carefully and to frightened here...)
> currently way to easy for a malicious attacker to get bad packages with
> bad code out to the users:
> - put a package up for review
> - get sponsored -- that's still the hardest parts, but not that hard if
> you reply to questions and advices from the reviewer quickly and poke
> the right people
> - watch mailing list and for
> people being afk for longer time-periods
> - commit something bad to some well known packages which are (1) owned
> by folks being away and (2) without co-maintainers; hit CTRL+C quickly
> when cvs mentions that changes got commit -- if you are fast enough no
> commit mail will get send to the commits-list. Even if one gets send --
> if you are a bit careful (e.g. upload a modified tarball with the
> malicious code) then chances are good none of those few people that take
> a closer look at some the commit-mails on cvs-extras-commits will notice
> something bad(¹)
> - for F6 and devel the bad code will get out to the repo on it's own
> soon and find its way to the users automatically. For F-7 you need to
> get it out through bodhi -- not sure if it checks if the one that pushes
> a package is owning it. If not then the attacker can push his trojan
> horse easily himself. Chances this get noticed will be small as well.

I can confirm that at least in some cases Bodhi will allow non-owner
updates.  I do not maintain openarena, but I updated it this week at the
maintainer's request/with his blessing.

> I think it's just a matter of time until something similar to what I
> outlined above might happens (reminder, both gentoo and ubuntu had
> problems with attackers in the last couple of days).
> Giving all sponsors access by default instead of "all new packagers get
> access to all new packages and round about 2935 out of 4847 packages
> (counted only devel branches and I hope my counting method was correct)"
> would have been the way saner choice IMHO.
> CU
> knurd
> (¹) -- heck, I could even imagine ways where even the real owner might
> not notice changes (albeit that would depend on the way the real owner
> works)
> --
> fedora-devel-list mailing list
> fedora-devel-list at

novus ordo absurdum

More information about the fedora-devel-list mailing list