| 1 |
On Fri, 2006-06-09 at 02:53 +0200, Stefan Schweizer wrote: |
| 2 |
> Stefan Schweizer wrote: |
| 3 |
> it is actually encouraged to update bugzilla when changes are made in the |
| 4 |
> overlay. |
| 5 |
|
| 6 |
Encouraged? If you leave it at that, people will forget, and things will |
| 7 |
get out of sync. At the very least you should supply per-package rss |
| 8 |
feeds and email subscriptions. Otherwise this will be a downgrade in |
| 9 |
functionality from the current bugzilla system. (Which I think is |
| 10 |
perfectly fine as it is.) |
| 11 |
|
| 12 |
> The ebuilds have a quality, repoman is required to be run. Also contributors |
| 13 |
> should be knowing what they are doing - they are submitting an ebuild to |
| 14 |
> the sunrise overlay, it needs to follow certain standards. |
| 15 |
|
| 16 |
And what if they do know what they're doing, and what they're doing is |
| 17 |
subverting Gentoo systems en masse? You're proposing to hand out commit |
| 18 |
access to anyone who makes a case on IRC; you have no way to tell that |
| 19 |
they aren't an attacker. |
| 20 |
|
| 21 |
Part of the reason becoming a dev is expensive is that it provides a |
| 22 |
barrier for attackers (and gives recruiters time to check that the |
| 23 |
candidate is who they claim to be). By using Gentoo resources for this |
| 24 |
project you're implying that the ebuilds can be trusted; hordes of users |
| 25 |
*will* sync with the sunrise overlay, giving an attractive target to |
| 26 |
attackers. (Or what if they're attacking overlays.gentoo.org itself? |
| 27 |
This stuff is shell code; some well-meaning person's going to source it |
| 28 |
at some point.) |
| 29 |
|
| 30 |
And similarly, Gentoo's reputation would be immeasurably damaged if an |
| 31 |
attacker succeeded in sneaking malicious code in. (Don't say you'll |
| 32 |
review it; can you review every line of a 20K gcc4-compatibility patch? |
| 33 |
Have you read the Underhanded C Contest?[1]) |
| 34 |
|
| 35 |
|
| 36 |
Ed |
| 37 |
|
| 38 |
|
| 39 |
[1] http://www.brainhz.com/underhanded/ |
| 40 |
|
| 41 |
|
| 42 |
-- |
| 43 |
gentoo-dev@g.o mailing list |
Archives