ACL removal day?!
Rahul Sundaram
sundaram at fedoraproject.org
Tue Jun 19 17:39:55 UTC 2007
Steve Grubb wrote:
> On Tuesday 19 June 2007 13:10:10 Rahul Sundaram wrote:
>>> ... then they are able to remove them, and we can discuss changing the
>>> defaults/adding something to the CVS request form/whatever. I'm not
>>> seeing the problem here?
>> The need for ACL's by default that restrict the package to only the
>> package maintainers is not clear
>
> This needs to be clear. Its for security. If you take all ACLs off the
> packages and an account becomes compromised, the attacker can get to
> everything.
>
> Please keep the ACLs by default so that there is not a window where a package
> is left unguarded if it needed to be.
It can work the other way around too. Remember that the large majority
of packages are maintained in Fedora on a voluntary basis and many of
them are very important ones.
What happens if there is a highly critical security issue on one of
those packages where the maintainers are not responding as quickly as
ideal because they got sick, went on a vacation or simply lost interest?
If you are going to have ACL's by default:
1) Document it explicitly.
2) Recommend that package maintainers consider the need for ACL's carefully.
3) Give blanket access to a select set of groups to fix issues as
necessary - Rel Eng, FESCo, Fedora Security Team and possibly a small
number of people who have a well known history of doing good QA work on
the repository.
Rahul
More information about the Fedora-maintainers
mailing list