sponsorship for package adoption without package submission (was Re: Claiming ownership for thinkpad related packages and pam_mount)

Hans de Goede j.w.r.degoede at hhs.nl
Tue May 16 17:24:24 UTC 2006



Thorsten Leemhuis wrote:
> Am Dienstag, den 16.05.2006, 09:41 +0200 schrieb Thorsten Leemhuis:
>> Am Montag, den 15.05.2006, 13:14 -0500 schrieb Jason L Tibbitts III: 
>>> I think the committee should take up the idea of sponsorship for
>>> package adoption without package submission.
>> I send the following to the FESCo-List last week (it was in a similar
>> context). 
>> [...]
>> That would mean (a lot of) extra work for the sponsors. And that's why
>> this idea probably will fail. Does anyone have a better idea?
> 
> Well, maybe a slightly different approach might be easier:
> 
> Package foo is orphaned. Bar is interested in taking it over, but he is
> no Extras contributor yet. Sponsor foobar steps up and sponsors bar for
> Extras cvs access (only cvs, bar gets *no* permissions to requests
> builds in plague). Bar updates packages and sends foobar a note when
> everything is ready. Foobar reviews the committed stuff and requests
> build if everything is fine. If that worked fine for some update cycles
> and some time in general bar gets fully sponsored and gets permissions
> to requests builds.
> 

Sounds like a good plan, except for one thing:
-Assume I'm an evil bastard who wants to inject bad code into FE cvs
-I say I want to unorphan a (few) package(s) and get sponsered
-I update them (I've choosen easy ones) and request builds, sponsor is
 happy
-In the mean time I also use my CVS access to inject some malwhere in a
 couple of much used often released packages. I circumvent the CVS
 change mails (yes thats possible, just hit ctrl-C at the right moment)
-After some time the packages get build for one reason or another by
 their actual owner with my malware included.

<OOPS>


Then again I even have worries about this happening oneday with the
current process. Thus what I do when I sponsor (sofar 2 people only) is
look for other opensource contributions. If they have got CVS access to
a couple of other projects they already have plenty chance to inject
malware and thus probably wont (erm does that make sense?)

But accept for the anove worries I like the idea in general. Actually I
had the same idea before reading your mail :)

Regards,

Hans




More information about the fedora-extras-list mailing list