FAKE: Fedora Extras shipped popular package with rootkit and more than ten thousands systems were infected (was Re: Summary from last weeks FESCo meeting)
Thorsten Leemhuis
fedora at leemhuis.info
Thu Jun 1 15:00:12 UTC 2006
Am Donnerstag, den 01.06.2006, 15:41 +0100 schrieb Jonathan Underwood:
> On 01/06/06, Konstantin Ryabitsev <icon at fedoraproject.org> wrote:
> > In any case, this isn't a contingency we should really be spending
> > that much time over, short of potentially developing a system of ACLs
> > that would restrict CVS commits only to the actual package owners.
>
> Would it help this discussion if the technicalities of developing such
> a system were put on the table (apologies if this has been discussed
> before and I missed it)?
The biggest problem probably is: There are plans to switch away from CVS
to something else after FC6 (no, that's all I know). So investing to
much time in the current system probably is not worth the trouble.
I would sleep already a lot better if at least the issue with "hit CTRL
+C at the right moment and no commit mail with the changes will be send"
would be fixed. But I don't know CVS enough and would be really glad if
someone could look into that.
I would even sleep really good if there would be a mechanism that checks
md5sum's against upstream packages. But that's quite complicated to
implement and might be to much overhead.
> This discussion would also be useful in the
> context of developing a mechanism for having a team of people
> responsible for a package, rather than a single owner.
We really need that. But that's stalled mostly because nobody in FESCo
really works on driving it forward and the proposal from Patrice is
still in my Todo-Inbox. :-((
> Do the problems
> with the apprach alluded to by Konstantin have their roots in the
> limitations of CVS permissions, or are there other issues?
I don't know. It was started with the current scheme and I don't know
the details why every packager has access everywhere. And it seems a lot
of people don't want fine-graded ACLs.
CU
thl
--
Thorsten Leemhuis <fedora at leemhuis.info>
More information about the fedora-extras-list
mailing list