new features in package CVS
Alan Cox
alan at redhat.com
Wed Jan 31 13:15:41 UTC 2007
On Wed, Jan 31, 2007 at 08:46:47AM +0100, Hans de Goede wrote:
> touched in a harmfull way. Just because someone is a beginning packager
> doesn't mean that he will start submitting random changes to other
> peoples packages.
Your risk model is wrong. One of your beginning programmers (probably a beginner
but it could be any of us) gets trojanned. The attacker then inserts a worm
into the autoconf scripts for that package which goes around committing itself
to other packages while infecting anyone who builds the package and adding
backdoors to their machines
Within a couple of days you'll have chaos.
If users can only touch packages they have access to then the ability for this
kind of attack drops dramatically and its more likely to be picked up early.
And people *WILL* try this sort of stuff because the prize (breaking into the
Red Hat internal network) is so high
Alan
More information about the Fedora-maintainers
mailing list