ACL removal day?!
Steve Grubb
sgrubb at redhat.com
Wed Jun 20 15:47:24 UTC 2007
On Wednesday 20 June 2007 11:27, Ralf Corsepius wrote:
> On Wed, 2007-06-20 at 23:18 +0800, David Woodhouse wrote:
> > On Wed, 2007-06-20 at 16:56 +0200, Ralf Corsepius wrote:
> > > Without ACLs in effect he will be able to
> > > compromise other packages than yours.
> >
> > We don't need an ACL on _commits_. We can have one on _builds_.
>
> Absolutely. IMO, this would be a reasonable compromise.
The problem is that you will see a patch from someone that appears to be a
maintainer. You might look it over or might not. If you looked it over, you
might not realize it opens a hole in that package. The attacker has planted
the problem and is waiting for you to do the build and distribute it to the
world.
When we take packages from upstream, there are a lot of eyes watching the
package. If they are compromised, it will affect us, Debian, Suse, Mandriva,
Ubuntu...iow there are a lot of people that might catch the problem.
When it comes to a distribution, there are less people affected and malicious
code could live longer before being detected. SE Linux can help a lot in
being able to see sudden behavior changes, but there are only 200 or so
domains that are confined.
> > Or preferably just on _pushes_ to the repository -- people other than the
> > maintainer can build an untagged package and the maintainer (or someone
> > in the ACL) would have to tag it for the intended collection.
>
> Don't get me wrong, I am vehemently opposed to the current ACLs. IMO,
> all they do is to close out "people who are following the rules of the
> game" and are unlikely to help in cases of real attacks.
All we are talking about is the default setting. You can remove it later if
you want to take that risk. Its going to be a lot harder to re-establish
trust if Fedora code base gets hacked than it was to have some preventive
measures in the first place.
-Steve
More information about the Fedora-maintainers
mailing list