new features in package CVS

[Ralf Corsepius]

On Wed, 2007-01-31 at 08:15 -0500, Alan Cox wrote:
> On Wed, Jan 31, 2007 at 08:46:47AM +0100, Hans de Goede wrote:
> > touched in a harmfull way. Just because someone is a beginning packager 
> > doesn't mean that he will start submitting random changes to other 
> > peoples packages.
> 
> Your risk model is wrong. One of your beginning programmers (probably a beginner
> but it could be any of us) gets trojanned. The attacker then inserts a worm
> into the autoconf scripts for that package which goes around committing itself
> to other packages while infecting anyone who builds the package and adding
> backdoors to their machines
> 
> Within a couple of days you'll have chaos.
> 
> If users can only touch packages they have access to then the ability for this
> kind of attack drops dramatically and its more likely to be picked up early.

I don't see this. We all signed the CLI, we all log in through ssl, the
VCS will log all changes, so everybody committing something already
should be traceable.

Whether somebody deliberately/non-deliberately places a trojan into a
package not owned by him or owned by somebody else, or imports an
infected tarball, doesn't make much of a difference.

> And people *WILL* try this sort of stuff because the prize (breaking into the
> Red Hat internal network) is so high

The only thing that really changes with a merged Core/Extras is the
impact infecting a central package, which nowadays is in Core would
have, would likely be larger.

E.g. a thief having stolen a Fedora maintainers's notebook or somebody
having intruded into a system with his "secret ssl keys, passwd, etc."
will find 2000-3000 packages more, he can place his malware on, than he
could do until now.

But .. isn't the likelihood of somebody intruding a Fedora mirror and
placing malicious packages there, much larger?

Ralf