There is a recent discussion
Fedora-maintainers list calling for an end to the ACL (access control
list). A pkg.acl file may exist for every Fedora package, and it lists the
maintainer and co-maintainer and possibly others that are authorized to
fix, rebuild and upload that package. This file exists by default, but may
be modified or removed by the package maintainer.
Here in the northern hemisphere it's summer, a time for vacations, a time
when a package maintainer might not be around to maintain those packages.
Sometimes you just don't want a package sitting around a week or two with a
known (and fixed upstream) security issue. If a soname bump requires
several packages to be rebuilt, it's better to have that happen sooner
rather than later. Hence the call to remove all pkg.acl files to allow
other Fedora maintainers access to all/most packages.
The ACL is in place for security reasons, though. No one ever said, "Let's
make it more difficult to get packages fixed when the maintainer is
unresponsive." On the other hand, do you want some fairly inexperienced,
casual maintainer messing with the kernel package? Even with the best of
intentions, mistakes can really mess up the system for many users.
Critical packages should have stricter restrictions, but for the vast
majority of packages any Fedora maintainer should be able to deal with
A more important consideration may be security: if any Fedora maintainer can make changes to any package, vast amounts of damage might be done by a single compromised account. There are things that can be done to mitigate this risk, but it is a concern nonetheless.
Some part of the issue is that there are an ever increasing number of
Fedora maintainers, and not all of them know that ACLs are enabled by
default. As a result of this thread wiki pages are being built which list
critical packages, and document the default ACL behavior and how to change
it. Also steps are being taken that would
allow access to a select set of groups, such as FESCo (Fedora
Engineering Steering Committee) and the Fedora Security team, to fix issues
to post comments)