Comment 2 for bug 284141
Revision history for this message
| Michael Casadevall (mcasadevall) wrote Re: PPAs need an additional level of security to prevent comprise on projects that are free registeration | #2 |
Restricted membership isn't a problem, if you make a person a member of a team, then the admin(s) trust them to do an upload. The 5-a-day group is example case:
https:/
There are roughly 150-ish users on it. Anyone can register an account, join this team, add a GPG key, upload replacing the existing package with a malicious command, and quite possibly screw users over. Granted, you could put the PPA in a separate team, but having PPAs on teams with open membership seems kinda dangerous ...