Package Review Process Policy
Adam Williamson
awilliam at redhat.com
Sat Sep 8 07:15:15 UTC 2012
On 2012-09-07 23:50, troopa wrote:
> Personally, I find this to be an unacceptable standard. Especially
> coming from a project that is directly associated with a reputable
> project like RedHat. Sure, maybe security is more important to me
> than
> most everyone else, but security should at least be important enough
> to at least check the code to verify it provides advertised
> functionality and nothing more.
Think about the practical implications of this. Take, say, MATE or
Cinnamon, both recently added or trying to be added to Fedora repos.
This would require both the packager and reviewer to be a) capable of
and b) have enough time to review the _entire_ code base of each project
and declare that they found no security issues. It's an incredibly
difficult process.
I'd take a high level summary and say that Fedora's processes and
policies, broadly, assume an element of good faith. Your proposal
appears to take the opposite tack: a defensive posture, assuming all new
code is bad until proven otherwise. This is a very difficult stance for
a project like Fedora to take convincingly. After all, if someone's
trying to trojan in something evil, why would you expect them to leave
it in plain sight? Surely they'd try to obfuscate it as much as
possible. As the Obfuscated C Code Contest and others show, there's all
sorts of possibilities down this line. If we're going to take a
defensive posture to all proposed Fedora packages, we'd need a corps of
elite coders to review every submitted package with a fine-toothed comb.
In practice, we have enough trouble just finding people committed
enough to perform the currently required review processes. It seems
unrealistic to believe Fedora is capable of performing a comprehensive
security audit on all the zillions of lines of code it contains and
which are regularly added to it...
Bodies with really serious security needs, like the NSA, have always
taken 'consumer level' products like Fedora and performed their own
security evaluations on them. I don't think that's an unreasonable
approach. If you have really serious security requirements, then you may
need to shoulder some of the burden of enforcing them yourself.
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net
More information about the security
mailing list