new features in package CVS
Christopher Stone
chris.stone at gmail.com
Wed Jan 31 15:55:51 UTC 2007
On 1/31/07, Alan Cox <alan at redhat.com> wrote:
> On Wed, Jan 31, 2007 at 08:46:47AM +0100, Hans de Goede wrote:
> > touched in a harmfull way. Just because someone is a beginning packager
> > doesn't mean that he will start submitting random changes to other
> > peoples packages.
>
> Your risk model is wrong. One of your beginning programmers (probably a beginner
> but it could be any of us) gets trojanned. The attacker then inserts a worm
> into the autoconf scripts for that package which goes around committing itself
> to other packages while infecting anyone who builds the package and adding
> backdoors to their machines
>
> Within a couple of days you'll have chaos.
>
> If users can only touch packages they have access to then the ability for this
> kind of attack drops dramatically and its more likely to be picked up early.
>
>
> And people *WILL* try this sort of stuff because the prize (breaking into the
> Red Hat internal network) is so high
Riiiiiiiiiiiiiiiight.
And people at redhat are completely immune to such attacks while the
extra packagers are so nieve that it is very likely to happen once we
open up the core cvs.
I'm sorry, but this part of the discussion just seems completely
laughable to me.
More information about the Fedora-maintainers
mailing list