[Fedora-legacy-list] Trust Issues (was: Re: System)

Warren Togami warren at togami.com
Wed Nov 5 02:50:13 UTC 2003


On Tue, 2003-11-04 at 11:13, David J. Bianco wrote:
> Another emphatic YES from me.  If we expect people to trust us for security
> patches, we must provide them with some assurance that a) the fix works, and
> b) it does not contain malicious code.  Neither of these determinations
> should be left up to a single person, and CERTAINLY not to the person who
> submits the patch.
> 
> I imagine the other Fedora developers are planning to address this problem,
> since they also have to distribute code supplied by their semi-anonymous
> developer community.  Does anyone know how they plan to handle things?
> 
> 	David

fedora.redhat.com has indicated earlier that there will be a formal
developer sign-up process where you need to sign legal forms and provide
proof of identification.  In addition to this I hope we will have
something similar to fedora.us current ultra-paranoid use of GPG,
signing developer keys only after they have proven their cluefulness and
trustworthiness over the period of many months of submitting good
packages, and providing good QA feedback for other packagers.

Warren




More information about the fedora-legacy-list mailing list