[oe] Getting patches committed
Stanislav Brabec
utx at penguin.cz
Fri Jan 22 00:13:34 UTC 2010
Rolf Leggewie wrote:
> Stanislav Brabec wrote:
> > org.openembedded.open (or .staging or .public)
>
> funny thing. I was discussing something like this with RP just when you
> sent this mail. It's not as straightforward as it may sound, though.
> First of all, I think we'd need several, possibly unlimited number of
> FFA branches. Second, RP and I agreed that security implications are a
> concern if we allow commit access completely uninhibited.
Security in world of open source is is always based on web of trust.
If any enterprise OE customer wants, it's possible to introduce digital
signatures of recipes including digital signatures of checksums and all
referred sources, classes etc.
Then anybody can create virtual team of trusted people and ignore
unsigned recipes.
But this alone does not prevent use of hacked upstream tarballs or
malicious software.
Well, and OE probably has vulnerable software.
For example CVE-2008-1372 was present in bzip2 for more than a year:
Full disclosure date: 10/17/2008
Fixed in OE: 01/10/2010
Watching this would probably require professional team subscribed to
vendor-sec, and backporting fixes to stable branches.
________________________________________________________________________
Stanislav Brabec
http://www.penguin.cz/~utx/zaurus
More information about the Openembedded-devel
mailing list