[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: sponsorship for package adoption without package submission (was Re: Claiming ownership for thinkpad related packages and pam_mount)

Am Dienstag, den 16.05.2006, 19:24 +0200 schrieb Hans de Goede:
> Thorsten Leemhuis wrote:
> > Am Dienstag, den 16.05.2006, 09:41 +0200 schrieb Thorsten Leemhuis:
> >> Am Montag, den 15.05.2006, 13:14 -0500 schrieb Jason L Tibbitts III: 

> Sounds like a good plan, except for one thing:
> -Assume I'm an evil bastard who wants to inject bad code into FE cvs
> -I say I want to unorphan a (few) package(s) and get sponsered
> -I update them (I've choosen easy ones) and request builds, sponsor is
>  happy
> -In the mean time I also use my CVS access to inject some malwhere in a
>  couple of much used often released packages. I circumvent the CVS
>  change mails (yes thats possible, just hit ctrl-C at the right moment)
> -After some time the packages get build for one reason or another by
>  their actual owner with my malware included.
> <OOPS>

But why use orphan package as the entry point to get CVS access to
Extras to "inject some malwhere"? You can have CVS access already nearly
just as easy: Just package something, get it approved and get yourself
sponsored. That not that more difficult.

> Then again I even have worries about this happening oneday with the
> current process. [...]

Yeah, we might have grown so far that we need to limit access in CVS a
bit more. We probably need to "add layers of control and management and
procedures" to make everything more safe.

Thorsten Leemhuis <fedora leemhuis info>

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]