[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: FAKE: Fedora Extras shipped popular package with rootkit and more than ten thousands systems were infected (was Re: Summary from last weeks FESCo meeting)

Paul P Komkoff Jr wrote:
Replying to Thorsten Leemhuis:
4. checkout some popular packages, upload new tarballs with a slightly
different names and a root-kit in it. Modify the "Source0" accordingly 5. commit the changes, hit "CTRL-C" at the right point of time so the
commit-message is not send to commits-list

Either I am wrong or this clearly shows a major flaw in current
infrastructure when any with commit access can modify anything in the
extras tree?

Flaw, more of a feature. I like the current openness of FE and I think we should be very carefull to not loose this openness.

I share Thl's worries, actually I kinda wisphered them into his ear, but I was wisphering because I didn't want my worries to lead to a discussion which in turn could lead to a much more closed FE. We're a community distro, trust is important if not vital!

I personally I'm trying to be carefull with whom I sponsor, checking for privious oss work, etc and monitoring every move they make for sometime after I sponsor them untill I'm comfortable that they can be trusted.

I think people who want to inject malware into OSS will always find a way, the fact that this currently hasn't happened much shows that we're appearantly a healty community and that the riscs of getting caught are big enough to scare people away.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]