Package Review Process Policy

Adam Williamson awilliam at redhat.com
Sat Sep 8 07:15:15 UTC 2012 

On 2012-09-07 23:50, troopa wrote:

>  Personally, I find this to be an unacceptable standard. Especially
> coming from a project that is directly associated with a reputable
> project like RedHat. Sure, maybe security is more important to me 
> than
> most everyone else, but security should at least be important enough
> to at least check the code to verify it provides advertised
> functionality and nothing more.

Think about the practical implications of this. Take, say, MATE or 
Cinnamon, both recently added or trying to be added to Fedora repos. 
This would require both the packager and reviewer to be a) capable of 
and b) have enough time to review the _entire_ code base of each project 
and declare that they found no security issues. It's an incredibly 
difficult process.

I'd take a high level summary and say that Fedora's processes and 
policies, broadly, assume an element of good faith. Your proposal 
appears to take the opposite tack: a defensive posture, assuming all new 
code is bad until proven otherwise. This is a very difficult stance for 
a project like Fedora to take convincingly. After all, if someone's 
trying to trojan in something evil, why would you expect them to leave 
it in plain sight? Surely they'd try to obfuscate it as much as 
possible. As the Obfuscated C Code Contest and others show, there's all 
sorts of possibilities down this line. If we're going to take a 
defensive posture to all proposed Fedora packages, we'd need a corps of 
elite coders to review every submitted package with a fine-toothed comb.

In practice, we have enough trouble just finding people committed 
enough to perform the currently required review processes. It seems 
unrealistic to believe Fedora is capable of performing a comprehensive 
security audit on all the zillions of lines of code it contains and 
which are regularly added to it...

Bodies with really serious security needs, like the NSA, have always 
taken 'consumer level' products like Fedora and performed their own 
security evaluations on them. I don't think that's an unreasonable 
approach. If you have really serious security requirements, then you may 
need to shoulder some of the burden of enforcing them yourself.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net

More information about the security mailing list