On Fri, May 8, 2015 at 1:24 PM, drago01 <drago01@xxxxxxxxx> wrote: > Well that can fixed though (i.e. serve the file over SSL; sure there > it would be still possible to attack the server and replace the > package there but at least one can not easily hijack the domain / http > request and replace it). > -- > desktop mailing list > desktop@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/desktop Sure, I am not saying this is un-fixable. However, and adversary could still create fake rpmfusion lookalike, promote it very high up the search results, link to it in forum answers, etc etc... these forums might not be served with HTTPS, too. Since there is no official Fedora instructions on how to get rpmfusion, it means putting users in risk. The best solution would have been if Fedora would have the rpmfusion-release package in the repos, signed by the Fedora key (or a URL to get it + a checksum of the resulting file), and gnome-software would be able to fetch it... so people won't need to trust arbitrary forum posts. That approach, of course, is against Fedora's policies, so it's not going to happen. It seems we're going on tangents here, so if I go back to the main point: The current Fedora policy prevents us from giving people the best possible out of the box experience. Many people will not want to switch to Fedora because of that. So either the policy should be changed to making these things easier and safer, or we decide we just give up on that point and focus on the other issues that prevent people from switching. -- -Elad. -- desktop mailing list desktop@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/desktop
