On Wed, 2007-01-31 at 08:15 -0500, Alan Cox wrote: > Your risk model is wrong. One of your beginning programmers (probably a beginner > but it could be any of us) gets trojanned. The attacker then inserts a worm > into the autoconf scripts for that package which goes around committing itself > to other packages while infecting anyone who builds the package and adding > backdoors to their machines Because a bazillion suspicious commits across thousands of packages from the same person would NEVER get noticed before the repo push... The place to stop this is to have package signing/pushes continue to be a manual process in some way. If something suspicious happens, just don't push the packages to the repos until you're certain you can trust them. I feel fascist ACLs everywhere is damaging to the community. Its a big glowing neon sign saying we DON'T trust each other. It only hides problems. Its the difference between being in the same room with a bunch of people, each holding a knife, and everyone locking themselves in separate rooms holding a knife. Sure, you might not get stabbed in the back right away, but for all you know, someone else might be sitting in their room, stewing and frothing, just waiting for the chance to stab you in the back the second you open the door. I'd rather, err, get stabbed in the back right away. I guess. Okay so that's a bizarre analogy but its all I can think of right now... ... On the other hand, I don't think locking down certain critical packages, like the gcc toolchain and the kernel, is entirely unreasonable. The key here is we should have the tools for detection and prevention to be a community process. It should be a HUMAN process based on trust, not a distrustful, paranoid process based on barriers, fences and walls.
Attachment:
signature.asc
Description: This is a digitally signed message part