On Wed, Jan 31, 2007 at 04:53:18PM +0100, Ralf Corsepius wrote: > I don't see this. We all signed the CLI, we all log in through ssl, the > VCS will log all changes, so everybody committing something already > should be traceable. Which is frequently too late. It is for the same reason you have file permissions. I trust the users of my external box absolutely, but they all have their own file permissions - because people make mistakes, because that way trojans can be isolated and attacks limited > Whether somebody deliberately/non-deliberately places a trojan into a > package not owned by him or owned by somebody else, or imports an > infected tarball, doesn't make much of a difference. The import tar ball is watched by a lot more people in a lot more places. > But .. isn't the likelihood of somebody intruding a Fedora mirror and > placing malicious packages there, much larger? Guess why rpm packages are digitally signed. -- Fedora-maintainers mailing list Fedora-maintainers@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-maintainers -- Fedora-maintainers-readonly mailing list Fedora-maintainers-readonly@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-maintainers-readonly
