Mittwoch, 5. Dezember 2007

Parallel universes ^w discussions

Mailing lists are funny sometimes -- like today on fedora-devel. There is one discussion where some people support the idea to get rid of mosts ACLs in CVS (often found in old Core packages) so all (new and old contributers) can commit (nearly) everywhere.

At the same time there is a debate about restricting CVS more due to security concerns (disclaimer: I'm the one that brought the old topic up again), as a malicious attacker can modify random packages in CVS once he got sponsored for cvsextras (with is neither easy nor very hard). The latter discussion resulted in a IMHO nice post from John Dennis. To quote just a part:

Linux has been mostly immune to malware. For anyone writing malware one of the challenges
is propagating the infected code.

So lets not give bad folks the perfect vehicle for distributing their malware through an
official update channel which automatically gets pushed to tens of thousands of machines
with the implication of being clean software. Such an event would be devastating to the entire
open source community.

The funny thing about it: both the views I mentioned above are IMHO right somehow. We IMHO need to get hurdles (like to restricting ACLs, but also those in our heads that say "that package is owned by someone else, I won't touch it") out of the way to have a more wiki-like working style for maintaining packages in Fedora. But at the same time we need fences to prevent that new contributers immediately get access in areas where they don't need access, to prevent malicious people to do bad things easily.

Keine Kommentare: