new features in package CVS
Alan Cox
alan at redhat.com
Wed Jan 31 16:01:47 UTC 2007
On Wed, Jan 31, 2007 at 04:53:18PM +0100, Ralf Corsepius wrote:
> I don't see this. We all signed the CLI, we all log in through ssl, the
> VCS will log all changes, so everybody committing something already
> should be traceable.
Which is frequently too late. It is for the same reason you have file
permissions. I trust the users of my external box absolutely, but they all
have their own file permissions - because people make mistakes, because that
way trojans can be isolated and attacks limited
> Whether somebody deliberately/non-deliberately places a trojan into a
> package not owned by him or owned by somebody else, or imports an
> infected tarball, doesn't make much of a difference.
The import tar ball is watched by a lot more people in a lot more places.
> But .. isn't the likelihood of somebody intruding a Fedora mirror and
> placing malicious packages there, much larger?
Guess why rpm packages are digitally signed.
More information about the Fedora-maintainers
mailing list