ACL's, Why a Big Deal?

[Warren Togami]

Mamoru Tasaka wrote:
> Warren Togami wrote:
>> 2) For newly added packages, pkg.acl exists by default.  If you as an 
>> owner don't want such protectionism, just cvs remove it.
> 
> My opinion is, at least the sponsor of the person who maintains
> the package should have the right to access the package by default.
> 
> Then: is the idea that to creating a rather big group including
> sponsors, cvs admin, etc... and to give some more free access right
> for the people in the group (I remember someone proposed before)
> is gone away?
> 

Good point, and I think we should auto-add sponsors to pkg.acl.  But 
extrapolating from this, there are a few potential policy problems.

Scenario: Malicious Contributor
1) Malicious Contributor X gets sponsored after making one particularly 
good package.  (Not too hard.)
2) X removes sponsor from pkg.acl and proceeds to add malicious crap, 
trying to root users' boxes.
3) Sponsor notices, but is unable to fix it.  Must wait for a CVS admin 
to step in.

(This brings to mind, we really need super users to be more 
geographically distributed.  Currently all admins are in the American 
EST.  More about this later.)

Scenario: Red Hat Engineer
1) davej was sponsored by some Fedora sponsor Y.
2) davej owns kernel.
3) Thus Fedora sponsor Y may change kernel?

(In practice this isn't such a big deal, because Y can simply be removed 
from pkg.acl.  Y is also trusted member of the community that at least 
in theory *should* know and respect ownership rules.)

So yes, we can add this kind of stuff in an automated fashion.  But we 
need to think a bit more first about the policy.

Warren Togami
wtogami at redhat.com