Aaron W. Swenson: > > This is what's been driving me batty. None of you verified my identity > before letting me be an official Gentoo Developer. Yet I have access to > the repo. All I had to do was complete the quizzes. >
The only way to improve security in the sense of random collaborators is to not grant them push access in the first place. This is almost going offtopic since it still doesn't solve the attack vector this topic was initially about. But our project model is definitely not up to date anymore. Let me quote Bryan Østergaard in this context [0]: > Other source based distributions follows a fairly closed development model > that relies on a particular group of developers doing most, if not all the > work and a somewhat complex organisation model that's supposed to help solve > internal problems. The most common solution when technical problems (such as > packages not getting timely updates) occurs is to add more developers to the > organisation. Unfortunately this also tends to amplify any organisational > problems. Not just organisational problems, but also trust problems and QA problems on top of that. If we want to improve this, we have to think again and start a real review-based development model. This will mean changing the whole gentoo project structure and use the benefits of git to do it right. Anyone up for that? I guess not. You'd have to write up 10+ GLEPs to even try it, lol. -- [0] https://archive.fosdem.org/2009/interview/bryan+ostergaard
