ACL removal day?!
Thorsten Leemhuis
fedora at leemhuis.info
Tue Jun 19 17:33:53 UTC 2007
On 19.06.2007 19:24, Steve Grubb wrote:
> On Tuesday 19 June 2007 13:10:10 Rahul Sundaram wrote:
>>> ... then they are able to remove them, and we can discuss changing the
>>> defaults/adding something to the CVS request form/whatever. I'm not
>>> seeing the problem here?
>> The need for ACL's by default that restrict the package to only the
>> package maintainers is not clear
>
> This needs to be clear. Its for security. If you take all ACLs off the
> packages and an account becomes compromised, the attacker can get to
> everything.
>
> Please keep the ACLs by default so that there is not a window where a package
> is left unguarded if it needed to be.
I'd say we should work towards a middle ground -- ACLs by default, but
create some kind of "trusted contributers group (say sponsors, FESCo
members and packagers with more then 25 packages) that get access
everywhere.
Just my 2 cent.
CU
thl
More information about the Fedora-maintainers
mailing list