On Fri, May 8, 2015 at 12:03 PM, Elad Alfassa <elad@xxxxxxxxxxxxxxxxx> wrote: > On Fri, May 8, 2015 at 12:27 PM, Michael Schwendt <mschwendt@xxxxxxxxx> wrote: >> On Thu, 7 May 2015 23:27:31 +0300, Elad Alfassa wrote: >> >>> Another point is that this repo does not seem to be fast enough with >>> security updates, as it is operated by volunteers and doesn't seem to >>> have a security response team - so it sometimes takes weeks for >>> critical security fixes to be shipped to users. >> >> Wait a minute! You don't really want to open that can of worms. >> Do you know any examples about _critical_ vulnerabilities in rpmfusion.org >> packages? > > CVE-2014-9629 in VLC, for example. I could probably find more if I'd > look at more packages. >> >> Fedora may have a security team, but there are 304 open CVE tickets about >> "moderate vulnerabilities" dating back as far as into the year 2012, >> and 38 open tickets about "important vulnerabilities" dating back into >> early 2013. Example: > > Ouch. Okay, in that case you can ignore my point about security > response in rpmfusion. > > But regardless of the security response point, I still think > installing rpmfusion harms user safety. There's no way to verify the > key you just trusted is the actual signing key used by rpmfusion, an > adversary could easily replace the "Enable RPMFusion on your system" > page with something more sinister. Well that can fixed though (i.e. serve the file over SSL; sure there it would be still possible to attack the server and replace the package there but at least one can not easily hijack the domain / http request and replace it). -- desktop mailing list desktop@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/desktop
