On 22/08/07, Jesse Keating <jkeating@xxxxxxxxxx> wrote: > Also it's easy enough to install some piece of software off the net > that drops a yum repo file in place and starts handing you packages > from another repo. You should get the opportunity to confirm your > trust in this repo before it starts replacing all kinds of packages in > your system.. > (now said packages that drop a repo file could just easily set > gpgcheck=no and bypass all the trust issues, but that's neither here > nor there) I think it is very important actually. If a malicious package is putting files in random places as the root user (installing a package manually using rpm) then we've essentially lost security on the system as far as I'm concerned. You could take this argument one step further and a malicious package could be designed to patch yum/rpm to not do the gpg checks. Richard. -- Fedora-desktop-list mailing list Fedora-desktop-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-desktop-list
