New package cvs requests. opt out of cvsextras commit rather than in?

Thorsten Leemhuis fedora at
Wed Dec 5 15:30:10 UTC 2007

On 05.12.2007 16:10, Jesse Keating wrote:
> On Wed, 05 Dec 2007 09:29:41 -0500
> John Dennis <jdennis at> wrote:
>> Linux has been mostly immune to malware. For anyone writing malware
>> one of the challenges is propagating the infected code.
>> So lets not give bad folks the perfect vehicle for distributing their 
>> malware through an official update channel which automatically gets 
>> pushed to tens of thousands of machines with the implication of being 
>> clean software. Such an event would be devastating to the entire open 
>> source community.
>> If you think the problem would be mitigated by package maintainers 
>> rigorously reviewing all changes *after* they've been committed
>> you're forgetting human nature and the fact most maintainers are over
>> worked to begin with. By extension if you demand maintainers review
>> every commit then how is that effectively different than the current
>> process of posting a patch in a bugzilla and asking the maintainer to
>> review it before committing it?
> And if you think we're the first Linux distro of any size to have wider
> access to our software source control you're also mistaken.  We're not
> paving new ground here.
[... some examples ....]
> So we're hardly the first, and certainly not the largest, linux distro
> to have "open" commits for project members.

So your option as FESCo member is what? Just continue with the current
procedure and hope and pray that nothing happens?

For me something like the ubuntu solution ("Development Team" that have
commit access across all the Universe packages) sounds good -- we could
create such a team by putting sponsors, rel-eng-people and some hand
selected red hat employees as well as some long term contributers into a
"group" and call them "Development Team" as well.


More information about the fedora-devel-list mailing list