Package Review Stats for the week ending January 18th, 2009

Robert Scheck robert at fedoraproject.org
Fri Jan 30 20:19:46 UTC 2009 

On Thu, 29 Jan 2009, Thomas Moschny wrote:
> 2009/1/29 Conrad Meyer <konrad at tylerc.org>:
> > In either case, the package owner gets an email summarizing changes to CVS,
> > and can revert the CVS change. If the newbie was malevolant and/or the problem
> > persists, they can be kicked out of Fedora. If not, they learned their lesson
> > (similar to Wikipedia's "please go play in the sandbox, kid").
> 
> Unless (as I was told today on IRC, did not try that myself) there's
> still some sort of long-standing bug allowing you to suppress that
> email by pressing ctrl-c at the right moment.

Yes, this issue still exists. It happend to myself accidentally a couple of
times in the past, when switching and acting to the wrong screen.

But didn't we learn in this thread, that Fedora only has good people, that
never wouldn't exploit such an issue? Wasn't there "believe-in-good-will"
mentioned by drago01 or the "you'll have to accept that not everyone is as
paranoid as you" by Kevin Kofler? That are just two examples, the third one
is anyway at the beginning of this e-mail. Believe in good of all Fedora
people can't be the way how we handle security relevant things. And the
provenpackager thing is IMHO somehow related to that, as it currently even
protects us from harmful actions, where we maybe wouldn't get noticed via
e-mail about, caused by this long-standing CVS issue.

And yes, I know I'm the only bad guy in whole Fedora (except the Robert
Scheck-haters as Conrad Meyer luckily pointed out). Nicolas Mailhot is
putting me to his shitlist...so yes, there is really no reason why we do
not need security and some paranoia at the Fedora Project as long as we
have enough believe in good will. And as the former bad guy Thorsten got
more and more inactive in the last time, it looks like it's just me... ;-)

If we're really going to make provenpackagers useless as some people have
suggested on this thread, we must fix that outstanding security issue in
before - independent whether I'm considered to be paranoid or not. I still
wonder, why this didn't get assigned/solved/fixed until now.

Oh, if I've already the salt in my hands: I didn't hear since my December
2008 mail and a more-or-less-reply, that work is going on, no public news
regarding the current status: The intrusion into the servers of the Fedora
Project is still not solved - or does somebody hope, that it gets silently
forgotten? Maybe our "CSI Fedora" [1] can really take care about and do one
or another autopsy to present the facts after 60 minutes as in TV series?
So we could hand out this case to "CSI Miami" or "CSI New York" instead of
trying to close the files in a silent way, too...

Security starts in the beginning and applying security updates is not the
whole thing - same as at quality rather quantity! And the minor details are
deciding whether it is safe, a hole or whether it's a feature or a bug. I
would like to assign the above mentioned issues to Paul and the rest of the
Fedora board with a higher priority as in before - I think we all can agree
here, that the current situation about lack of open communication and the
security issues are absolutely indiscutable, right?

[1] http://infrastructure.fedoraproject.org/csi/


Greetings,
  Robert

More information about the devel mailing list