Christian Kastner <[email protected]> writes: > And I maintain that those people cannot be trusted with unrestricted > upload rights to the archive. That person-noone-has-ever-met but > occasionally-prepares-and-uploads-packages could just be a well > motivated person (or a group of people -- who knows?) hoping to > eventually compromise a popluar OS such as Debian, with zero risk of > personal consequences, or criminal prosecution.
I think the point is that so could the person who showed up at DebConf. Once you start postulating a sufficiently motivated attacker that they would be willing to take the time to establish a contribution track record and go through the NM process, showing up at DebConf with a forged ID is not increasing the difficulty of the attack by very much, nor is it increasing the risk by all that much. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
