Process Change: Package Reviews with Flags

Roozbeh Pournader roozbeh at farsiweb.info
Wed Feb 7 12:54:37 UTC 2007 

On Tue, 2007-02-06 at 19:34 -0500, Jesse Keating wrote:
> It is not a matter of what HAS been done, it's a matter of what _could_ be 
> done.  You don't lock the door to your house because somebody has already 
> broken in, you lock it to prevent somebody from breaking in.

Well, don't get me wrong, but that is exactly what some people like me
do. We don't put locks somewhere unless it's really necessary (I highly
recommend the Canadian unlocked door part of the movie Bowling for
Columbine, to see how these people who don't lock their door think).
This is a way of life, and a way of thinking about life. We like to
think that there are not many bad people: otherwise, we turn into freaks
and will fear everybody.

Let me put it another way. If the United States has never attacked your
country, may be they never will? Why develop atomic capabilities?
Really, why?

Of course one can be on the very cautious side and develop the atomic
capabilities ("for peaceful purposes only", and who is to deny that
defending one's country is not a peaceful purpose). But we hippie types
prefer to assume that the US will not attack us and we can actually live
better with that assumption on our minds.

(Please bare with my analogies.)

> Other people HAVE broken into other distributions and caused problems.

That of course is a very good reason to worry and then add locks. With
my example, having seen that the US actually attacked Iraq for no
reasonable reason, one can also assume that the same will happen to Iran
if we let that happen.

But still, people like me prefer to think "Oh, but Iran is different
from Iraq!" (and Fedora from all the guys who were attacked, for all the
reasons there may be, like having better and more security-minded system
administrators).

These rants are of course relevant only because I was the person whose
laptop with the SSH keys was stolen, which could theoretically be used
to find a way into the Extras system. The keys were of course password
protected and I reported the situation to Fedora people as soon as
possible on IRC, by email, and every other way I thought before a brute
force could be used to find the passwords, but if we want to think about
all the possible scenarios, a targeted attack could even have used my
collaboration.

Theoretically, someone may still use physical force on me and get me to
type my password and insert whatever code he sees appropriate where he
wishes. Do I value the security of Fedora users more than my life or my
family's? Definitely not!

Roozbeh

More information about the Fedora-maintainers mailing list