FAKE: Fedora Extras shipped popular package with rootkit and more than ten thousands systems were infected (was Re: Summary from last weeks FESCo meeting)

[Jonathan Underwood]

On 01/06/06, Konstantin Ryabitsev <icon at fedoraproject.org> wrote:
> In any case, this isn't a contingency we should really be spending
> that much time over, short of potentially developing a system of ACLs
> that would restrict CVS commits only to the actual package owners.

Would it help this discussion if the technicalities of developing such
a system were put on the table (apologies if this has been discussed
before and I missed it) ? This discussion would also be useful in the
context of developing a mechanism for having a team of people
responsible for a package, rather than a single owner. Do the problems
with the apprach alluded to by Konstantin have their roots in the
limitations of CVS permissions, or are there other issues?

Jonathan