ACL removal day?!

[Steve Grubb]

On Wednesday 20 June 2007 11:27, Ralf Corsepius wrote:
> On Wed, 2007-06-20 at 23:18 +0800, David Woodhouse wrote:
> > On Wed, 2007-06-20 at 16:56 +0200, Ralf Corsepius wrote:
> > >  Without ACLs in effect he will be able to
> > > compromise other packages than yours.
> >
> > We don't need an ACL on _commits_. We can have one on _builds_.
>
> Absolutely. IMO, this would be a reasonable compromise.

The problem is that you will see a patch from someone that appears to be a 
maintainer. You might look it over or might not. If you looked it over, you 
might not realize it opens a hole in that package. The attacker has planted 
the problem and is waiting for you to do the build and distribute it to the 
world.

When we take packages from upstream, there are a lot of eyes watching the 
package. If they are compromised, it will affect us, Debian, Suse, Mandriva, 
Ubuntu...iow there are a lot of people that might catch the problem.

When it comes to a distribution, there are less people affected and malicious 
code could live longer before being detected. SE Linux can help a lot in 
being able to see sudden behavior changes, but there are only 200 or so 
domains that are confined.

> > Or preferably just on _pushes_ to the repository -- people other than the
> > maintainer can build an untagged package and the maintainer (or someone
> > in the ACL) would have to tag it for the intended collection.
>
> Don't get me wrong, I am vehemently opposed to the current ACLs. IMO,
> all they do is to close out "people who are following the rules of the
> game" and are unlikely to help in cases of real attacks.

All we are talking about is the default setting. You can remove it later if 
you want to take that risk. Its going to be a lot harder to re-establish 
trust if Fedora code base gets hacked than it was to have some preventive 
measures in the first place.

-Steve