ACL's, Why a Big Deal?
Warren Togami
wtogami at redhat.com
Wed Feb 7 18:50:35 UTC 2007
Mamoru Tasaka wrote:
> Warren Togami wrote:
>> 2) For newly added packages, pkg.acl exists by default. If you as an
>> owner don't want such protectionism, just cvs remove it.
>
> My opinion is, at least the sponsor of the person who maintains
> the package should have the right to access the package by default.
>
> Then: is the idea that to creating a rather big group including
> sponsors, cvs admin, etc... and to give some more free access right
> for the people in the group (I remember someone proposed before)
> is gone away?
>
Good point, and I think we should auto-add sponsors to pkg.acl. But
extrapolating from this, there are a few potential policy problems.
Scenario: Malicious Contributor
1) Malicious Contributor X gets sponsored after making one particularly
good package. (Not too hard.)
2) X removes sponsor from pkg.acl and proceeds to add malicious crap,
trying to root users' boxes.
3) Sponsor notices, but is unable to fix it. Must wait for a CVS admin
to step in.
(This brings to mind, we really need super users to be more
geographically distributed. Currently all admins are in the American
EST. More about this later.)
Scenario: Red Hat Engineer
1) davej was sponsored by some Fedora sponsor Y.
2) davej owns kernel.
3) Thus Fedora sponsor Y may change kernel?
(In practice this isn't such a big deal, because Y can simply be removed
from pkg.acl. Y is also trusted member of the community that at least
in theory *should* know and respect ownership rules.)
So yes, we can add this kind of stuff in an automated fashion. But we
need to think a bit more first about the policy.
Warren Togami
wtogami at redhat.com
More information about the Fedora-maintainers
mailing list