Process Change: Package Reviews with Flags

Patrice Dumas pertusus at free.fr
Wed Feb 7 15:08:15 UTC 2007 

On Wed, Feb 07, 2007 at 09:51:04AM -0500, Jesse Keating wrote:
> 
> going through the process to create their _own_ account.  Once that has been 
> done ( and we keep wanting to LOWER the barrier for this!! ), if there are no 

I don't think we should lower the barrier. On the contrary, I think that
we should be very cautious when sponsoring people -- although I don't
think that the main reason why we should be cautious is security, but
rather long-term involvment and the burden a contributor leave behind when
leaving. Also we should always try to be able to identify the real
person behind the fedora contributor. That way the contributor may be
blamed in case of bad things done on purpose.

> barriers in place, that person can now run roughshod all over all the 
> packages, making any changes they want, building anything they want, causing 
> automated pushes to push out whatever they built, leading to people grabbing 
> packages and getting rooted, or even worse, insert some small thing in a 
> package that gets pulled into most buildroots that will further taint any 
> more builds.  Could be hard to detect until it is far far too late.  

Of course it will always be hard to check everything, but currently
(and for extras, with core it may not be possible anymore) it is
possible to keep an eye on the cvs commits, and on the build report for
a range of packages we are interested in and verify that everything is
right. 

(as a side note, I think that what is missing is a check of the 
checksum against what can be downloaded from the net, for packages 
that have a real Source on the net).

> With 
> proper barriers in place, the most damage a rouge user can do is to their own 
> package, or to any packages foolishly left wide open.

I don't like "foolishly". There are packages that have reasons to be 
closed, especially those that are frequently in the buildroot, there are
also packages that don't have that much security requirements, or a 
maintainer reactive enough to track everything that happens to the
package. Closing packages also has a cost.

--
Pat

More information about the Fedora-maintainers mailing list