Over at perl.org we generally don't give anyone shell access for any reason, but instead make people upload files and update sites with Subversion or WebDAV. It might be a bit more hassle for the contributors, but as the not so recent "incident" at the FSF shows, it's a mighty good idea. They got hacked by a local user in march (!) and just found out a few weeks ago.
We might still expose a vulnerability somehow some day (knock on wood), but with fewer people having local access, it's much less likely.
It's also a reminder why signing releases would be a good idea.
Giving shell access is always risky. I like to use something like scponly so people can use scp but not log in.
http://freshmeat.net/projects/scponly/
Signing releases -- note that PAUSE automatically keeps MD5 checksums of uploads (the CHECKSUMS file in authors' directories).
Signing releases again -- note that GPG-signing is much easier to verify safely than md5sums, since md5sums are either (a) stored alongside the distributed file and therefore compromisable there too, or (b) posted separately (and which user will dig out the release announcement to check the sums match?). With GPG, an attacker would have to get hold of the secret key for that pubkey too.
Bjorn. I have an interest in security. My sister does not know this stuff, and she worked wit DOS in '81.
ODIN