Am 16.12.2012 18:02, schrieb Bruno Wolff III: > On Sun, Dec 16, 2012 at 19:17:50 +1030, > Tim <ignored_mailbox@xxxxxxxxxxxx> wrote: >> On Sat, 2012-12-15 at 11:18 -0600, Bruno Wolff III wrote: >>> Unless you think you have a chance of being singled out by a goverment >>> or if you don't trust some of the people/machines on your local >>> network, this isn't a significant risk. >> >> You don't think some malcontent might try to set up a bogus repo, or >> damage another one, just because they're an ass? > > They have to get people to use such a repo, which is going to be hard. One could get away with it perhaps for a > little while by showing different data to users and to the mirror checker. And only a small fraction of people are > going to end up using such a mirror. nothing easier as to point you to another repo with /etc/hosts if something goes wrong on your machine - it is enough if you are ONE TIME ente your root-password in the wrong dialog and after pointing you to a modified repo you get a backdoor installed which you can not detect if it is done well by filter output of lsof, ps and whatever tools you think are helping you in such cased who makes you believe repos are always trustable for sure and no ssh-keys of maintainers are lost and misued? it happened not so long ago to the fedora infrastructure (google is your friend) the first and largest mistake in context security you can make is to think you are secure but not have the knowledge to make sure it is so - goodwill and hope is no base for security
Attachment:
signature.asc
Description: OpenPGP digital signature
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
