[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

permissions in cvs and security for our packages (Re: Plan for tomorrows (20070816) FESCO meeting)

On 17.08.2007 17:50, Toshio Kuratomi wrote:
> Thorsten Leemhuis wrote:
> [...]
> FESCO keeps discussing this [...]

I got the impression that yesterdays FESCo meeting ended the discussion
for next few months. I think that's really bad because it's *IMHO*
(maybe I'm just being over carefully and to frightened here...)
currently way to easy for a malicious attacker to get bad packages with
bad code out to the users:

- put a package up for review
- get sponsored -- that's still the hardest parts, but not that hard if
you reply to questions and advices from the reviewer quickly and poke
the right people
- watch mailing list and http://fedoraproject.org/wiki/Vacation for
people being afk for longer time-periods
- commit something bad to some well known packages which are (1) owned
by folks being away and (2) without co-maintainers; hit CTRL+C quickly
when cvs mentions that changes got commit -- if you are fast enough no
commit mail will get send to the commits-list. Even if one gets send --
if you are a bit careful (e.g. upload a modified tarball with the
malicious code) then chances are good none of those few people that take
a closer look at some the commit-mails on cvs-extras-commits will notice
something bad(¹)
- for F6 and devel the bad code will get out to the repo on it's own
soon and find its way to the users automatically. For F-7 you need to
get it out through bodhi -- not sure if it checks if the one that pushes
a package is owning it. If not then the attacker can push his trojan
horse easily himself. Chances this get noticed will be small as well.

I think it's just a matter of time until something similar to what I
outlined above might happens (reminder, both gentoo and ubuntu had
problems with attackers in the last couple of days).

Giving all sponsors access by default instead of "all new packagers get
access to all new packages and round about 2935 out of 4847 packages
(counted only devel branches and I hope my counting method was correct)"
would have been the way saner choice IMHO.


(¹) -- heck, I could even imagine ways where even the real owner might
not notice changes (albeit that would depend on the way the real owner

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]