New package cvs requests. opt out of cvsextras commit rather than in?

John Dennis jdennis at redhat.com
Wed Dec 5 14:29:41 UTC 2007


>> Why would he put something bad? Being malicious?

> Yes. Sure, for most people the hurdle is likely to high to go that
> route, but OTOH it a great way to get bad code out to lots of systems
> quickly (and a way to ruin our fame)

Linux has been mostly immune to malware. For anyone writing malware one 
of the challenges is propagating the infected code.

So lets not give bad folks the perfect vehicle for distributing their 
malware through an official update channel which automatically gets 
pushed to tens of thousands of machines with the implication of being 
clean software. Such an event would be devastating to the entire open 
source community.

If one doesn't think this is going to happen or you think the ultimate 
consequences for open source adoption would be benign then I have a 
bridge I'd like to sell you.

Also, if you think the bar to getting a Fedora account is so high as to 
make this unlikely then you've forgotten that anyone with enough 
software savvy to write malware would view that hurdle as a house of straw.

If you think there aren't plenty of folks the world over just waiting 
for their 15 minutes of hacker fame or who have a desire to teach 
RedHat/Fedora a lesson then I can offer you a discount on that bridge.

Do we need a better mechanism for accepting contributions from the 
community, probably. Are open commit lists the answer, no.

If you think the problem would be mitigated by package maintainers 
rigorously reviewing all changes *after* they've been committed you're 
forgetting human nature and the fact most maintainers are over worked to 
begin with. By extension if you demand maintainers review every commit 
then how is that effectively different than the current process of 
posting a patch in a bugzilla and asking the maintainer to review it 
before committing it?

-- 
John Dennis <jdennis at redhat.com>




More information about the fedora-devel-list mailing list