new features in package CVS
Ralf Corsepius
rc040203 at freenet.de
Wed Jan 31 16:21:30 UTC 2007
On Wed, 2007-01-31 at 11:01 -0500, Alan Cox wrote:
> On Wed, Jan 31, 2007 at 04:53:18PM +0100, Ralf Corsepius wrote:
> > I don't see this. We all signed the CLI, we all log in through ssl, the
> > VCS will log all changes, so everybody committing something already
> > should be traceable.
>
> Which is frequently too late.
Yes, but do acls change something anything about this?
Except that a maintainer won't be able to place a trojan into your
packages, he still could place them into his.
The end result would be the same: He would have infected Fedora and he
would be traced down the same way.
> > Whether somebody deliberately/non-deliberately places a trojan into a
> > package not owned by him or owned by somebody else, or imports an
> > infected tarball, doesn't make much of a difference.
>
> The import tar ball is watched by a lot more people in a lot more places.
Really?
Does anybody verify the tarballs a maintainer submitted against those on
an external site - post-review? Many packages even don't have an
upstream, or their upstream is hidden in a VCS and therefore are not
really monitored.
Does anybody check the patches inside of the look-a-side cache (They are
invisible on fedora-commits, the list that nobody reads ;) )?
Ralf
More information about the Fedora-maintainers
mailing list