New package cvs requests. opt out of cvsextras commit rather than in?

Wed Dec 5 15:10:41 UTC 2007

On Wed, 05 Dec 2007 09:29:41 -0500
John Dennis <jdennis at redhat.com> wrote:

> Linux has been mostly immune to malware. For anyone writing malware
> one of the challenges is propagating the infected code.
> 
> So lets not give bad folks the perfect vehicle for distributing their 
> malware through an official update channel which automatically gets 
> pushed to tens of thousands of machines with the implication of being 
> clean software. Such an event would be devastating to the entire open 
> source community.
> 
> If one doesn't think this is going to happen or you think the
> ultimate consequences for open source adoption would be benign then I
> have a bridge I'd like to sell you.
> 
> Also, if you think the bar to getting a Fedora account is so high as
> to make this unlikely then you've forgotten that anyone with enough 
> software savvy to write malware would view that hurdle as a house of
> straw.
> 
> If you think there aren't plenty of folks the world over just waiting 
> for their 15 minutes of hacker fame or who have a desire to teach 
> RedHat/Fedora a lesson then I can offer you a discount on that bridge.
> 
> Do we need a better mechanism for accepting contributions from the 
> community, probably. Are open commit lists the answer, no.
> 
> If you think the problem would be mitigated by package maintainers 
> rigorously reviewing all changes *after* they've been committed
> you're forgetting human nature and the fact most maintainers are over
> worked to begin with. By extension if you demand maintainers review
> every commit then how is that effectively different than the current
> process of posting a patch in a bugzilla and asking the maintainer to
> review it before committing it?

And if you think we're the first Linux distro of any size to have wider
access to our software source control you're also mistaken.  We're not
paving new ground here.

Debian has NMUs which allow for a Debian maintainer other than the
package owner to upload new builds of a package for various reasons:
http://www.us.debian.org/doc/developers-reference/ch-pkgs.en.html#s-nmu

Ubuntu has a "Development Team" that have commit access across all the
Universe packages, and a "Core Development Team" that has access to the
packages in main.  This is a lot more like what we used to have, with
Core/Extras, but it still gives pretty wide commit access to a number
of people.  Just as dangerous as what you're worried about.

"Open"Suse is a different story.  Only Novell employees can maintain
opensuse packages.  However they have a buildservice which allows just
about anybody to build software and publish in a public repo.  YaST has
clickable links to a number of popular repos.

So we're hardly the first, and certainly not the largest, linux distro
to have "open" commits for project members.

-- 
Jesse Keating
Fedora -- All my bits are free, are yours?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20071205/ede2d0e4/attachment.sig>