sponsorship for package adoption without package submission (was Re: Claiming ownership for thinkpad related packages and pam_mount)
Thorsten Leemhuis
fedora at leemhuis.info
Tue May 16 17:51:39 UTC 2006
Am Dienstag, den 16.05.2006, 19:24 +0200 schrieb Hans de Goede:
>
> Thorsten Leemhuis wrote:
> > Am Dienstag, den 16.05.2006, 09:41 +0200 schrieb Thorsten Leemhuis:
> >> Am Montag, den 15.05.2006, 13:14 -0500 schrieb Jason L Tibbitts III:
> Sounds like a good plan, except for one thing:
> -Assume I'm an evil bastard who wants to inject bad code into FE cvs
> -I say I want to unorphan a (few) package(s) and get sponsered
> -I update them (I've choosen easy ones) and request builds, sponsor is
> happy
> -In the mean time I also use my CVS access to inject some malwhere in a
> couple of much used often released packages. I circumvent the CVS
> change mails (yes thats possible, just hit ctrl-C at the right moment)
> -After some time the packages get build for one reason or another by
> their actual owner with my malware included.
> <OOPS>
But why use orphan package as the entry point to get CVS access to
Extras to "inject some malwhere"? You can have CVS access already nearly
just as easy: Just package something, get it approved and get yourself
sponsored. That not that more difficult.
> Then again I even have worries about this happening oneday with the
> current process. [...]
Yeah, we might have grown so far that we need to limit access in CVS a
bit more. We probably need to "add layers of control and management and
procedures" to make everything more safe.
CU
thl
--
Thorsten Leemhuis <fedora at leemhuis.info>
More information about the fedora-extras-list
mailing list