On Fri, May 8, 2015 at 12:27 PM, Michael Schwendt <mschwendt@xxxxxxxxx> wrote: > On Thu, 7 May 2015 23:27:31 +0300, Elad Alfassa wrote: > >> Another point is that this repo does not seem to be fast enough with >> security updates, as it is operated by volunteers and doesn't seem to >> have a security response team - so it sometimes takes weeks for >> critical security fixes to be shipped to users. > > Wait a minute! You don't really want to open that can of worms. > Do you know any examples about _critical_ vulnerabilities in rpmfusion.org > packages? CVE-2014-9629 in VLC, for example. I could probably find more if I'd look at more packages. > > Fedora may have a security team, but there are 304 open CVE tickets about > "moderate vulnerabilities" dating back as far as into the year 2012, > and 38 open tickets about "important vulnerabilities" dating back into > early 2013. Example: Ouch. Okay, in that case you can ignore my point about security response in rpmfusion. But regardless of the security response point, I still think installing rpmfusion harms user safety. There's no way to verify the key you just trusted is the actual signing key used by rpmfusion, an adversary could easily replace the "Enable RPMFusion on your system" page with something more sinister. -- -Elad. -- desktop mailing list desktop@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/desktop
