new features in package CVS
Dan Williams
dcbw at redhat.com
Wed Jan 31 15:19:22 UTC 2007
On Wed, 2007-01-31 at 15:54 +0100, Till Maas wrote:
> On Wednesday 31 January 2007 15:45, Dan Williams wrote:
>
> > For build submissions, it would seem fairly easy to have the build
> > system check the pkg.acl from it's pristine pkgcvs checkout and ensure
> > that the job owner is listed in the pkg.acl file, and otherwise fail the
> > job. That's not as ideal as a real accounts system, since the buildsys
>
> Is this really needed? As far as I understand how the buildsystem works, it
> checks the cvs out with the requested tag. So it would always only build the
> stuff that someone who is authorized by cvs acls commited and tagged. Or am I
> wrong here?
Right, but anyone can request a build from any tag at any time. So if
you tag something, but don't build it, then figure out that a security
issues requires a new version, somebody else could have built your other
one in the mean time. The attack is a lot less serious than allowing
anyone to build anything, of course (since only the package owner can
tag) but it does leave a few "holes" like this lying around.
Dan
More information about the Fedora-maintainers
mailing list