Paul P Komkoff Jr wrote:
Replying to Thorsten Leemhuis:4. checkout some popular packages, upload new tarballs with a slightlydifferent names and a root-kit in it. Modify the "Source0" accordingly 5. commit the changes, hit "CTRL-C" at the right point of time so thecommit-message is not send to commits-listEither I am wrong or this clearly shows a major flaw in current infrastructure when any with commit access can modify anything in the extras tree?
Flaw, more of a feature. I like the current openness of FE and I think we should be very carefull to not loose this openness.
I share Thl's worries, actually I kinda wisphered them into his ear, but I was wisphering because I didn't want my worries to lead to a discussion which in turn could lead to a much more closed FE. We're a community distro, trust is important if not vital!
I personally I'm trying to be carefull with whom I sponsor, checking for privious oss work, etc and monitoring every move they make for sometime after I sponsor them untill I'm comfortable that they can be trusted.
I think people who want to inject malware into OSS will always find a way, the fact that this currently hasn't happened much shows that we're appearantly a healty community and that the riscs of getting caught are big enough to scare people away.
Regards, Hans