On May 8, 2015 4:39 AM, "Elad Alfassa" <elad@xxxxxxxxxxxxxxxxx> wrote:
>
> On Fri, May 8, 2015 at 1:24 PM, drago01 <drago01@xxxxxxxxx> wrote:
> > Well that can fixed though (i.e. serve the file over SSL; sure there
> > it would be still possible to attack the server and replace the
> > package there but at least one can not easily hijack the domain / http
> > request and replace it).
> > --
> > desktop mailing list
> > desktop@xxxxxxxxxxxxxxxxxxxxxxx
> > https://admin.fedoraproject.org/mailman/listinfo/desktop
>
> Sure, I am not saying this is un-fixable.
>
> However, and adversary could still create fake rpmfusion lookalike,
> promote it very high up the search results, link to it in forum
> answers, etc etc... these forums might not be served with HTTPS, too.
> Since there is no official Fedora instructions on how to get
> rpmfusion, it means putting users in risk.
>
> The best solution would have been if Fedora would have the
> rpmfusion-release package in the repos, signed by the Fedora key (or a
> URL to get it + a checksum of the resulting file), and gnome-software
> would be able to fetch it... so people won't need to trust arbitrary
> forum posts.
>
> That approach, of course, is against Fedora's policies, so it's not
> going to happen.
>
>
> It seems we're going on tangents here, so if I go back to the main
> point: The current Fedora policy prevents us from giving people the
> best possible out of the box experience. Many people will not want to
> switch to Fedora because of that. So either the policy should be
> changed to making these things easier and safer, or we decide we just
> give up on that point and focus on the other issues that prevent
> people from switching.
> --
> -Elad.
> --
RPMfusion is struggling with infrastructure issues right now. There's a rather small subset of the Fedora community maintaining what I think we're all agreed are essential packages. At some point, those of us who really care about the functionality that RPMfusion provides should help them. This doesn't have to be entirely solved as an Official Fedora Workstation problem - working within that third party community benefits users too. A policy that allows their release package doesn't improve their release - it just makes a very simple process slightly simpler. A policy that allows Fedora to directly ship encumbered products is a non-starter.
(note that I'm including myself in that statement, and realize that a lot of folks reading could be RPMfusion maintainers and I don't know it)
--Pete
-- desktop mailing list desktop@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/desktop
