Access Control - What is it good for? [LWN.net]

There is a recent discussion on the Fedora-maintainers list calling for an end to the ACL (access control list). A pkg.acl file may exist for every Fedora package, and it lists the maintainer and co-maintainer and possibly others that are authorized to fix, rebuild and upload that package. This file exists by default, but may be modified or removed by the package maintainer.

Here in the northern hemisphere it's summer, a time for vacations, a time when a package maintainer might not be around to maintain those packages. Sometimes you just don't want a package sitting around a week or two with a known (and fixed upstream) security issue. If a soname bump requires several packages to be rebuilt, it's better to have that happen sooner rather than later. Hence the call to remove all pkg.acl files to allow other Fedora maintainers access to all/most packages.

The ACL is in place for security reasons, though. No one ever said, "Let's make it more difficult to get packages fixed when the maintainer is unresponsive." On the other hand, do you want some fairly inexperienced, casual maintainer messing with the kernel package? Even with the best of intentions, mistakes can really mess up the system for many users. Critical packages should have stricter restrictions, but for the vast majority of packages any Fedora maintainer should be able to deal with minor maintenance.

A more important consideration may be security: if any Fedora maintainer can make changes to any package, vast amounts of damage might be done by a single compromised account. There are things that can be done to mitigate this risk, but it is a concern nonetheless.

Some part of the issue is that there are an ever increasing number of Fedora maintainers, and not all of them know that ACLs are enabled by default. As a result of this thread wiki pages are being built which list critical packages, and document the default ACL behavior and how to change it. Also steps are being taken that would allow access to a select set of groups, such as FESCo (Fedora Engineering Steering Committee) and the Fedora Security team, to fix issues as necessary.

(Log in to post comments)

Access Control - Looking at other distros

Posted Jun 21, 2007 8:08 UTC (Thu) by DeletedUser32991 ((unknown), #32991) [Link]

Debian seems to do pretty well without ACLs, just by mutual respect. I don't think I've seen more than one major problem with it over the last 5 years, and that didn't reach even the users of unstable. New developers don't tend to introduce themselves as having upload priviledges by screwing up with large and important packages.

comparing to Debian: NMU (Non Maintainer Uploads)

Posted Jun 21, 2007 9:19 UTC (Thu) by tzafrir (subscriber, #11501) [Link]

The discussion should indeed benefit from looking at how this is done in Debian.

Each Debian package has a Maintainer and an optional list of additional Uploaders. They are the ones who should know the package well enough to tell if a change doesn't break it.

If anybody else uploads a package it is considered to be a Non-Maintainer-Upload. This should not be done usually. This hsould normally follow a bug that has been left an unswered for long enough. An NMU in itself is a sort of a bug, and the package maintainer should follow-up on it.