Re: Ready for new RPM version?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2009-02-27 at 13:21 -0800, Adam Williamson wrote:
> On Fri, 2009-02-27 at 16:01 -0500, Jon Masters wrote:
> > On Fri, 2009-02-27 at 12:14 -0800, Adam Williamson wrote:
> > > On Fri, 2009-02-27 at 13:24 +0100, Till Maas wrote:
> > > > On Fr Februar 27 2009, Adam Williamson wrote:
> > > > 
> > > > > It would be nice to have everyone who works on Rawhide, work *from*
> > > > > Rawhide. I suspect this would make people generally less keen to break
> > > > > stuff. =)
> > > > 
> > > > I hope that nobody does this, because the rpm packages for Rawhide are not 
> > > > signed and therefore should not be trusted.
> > > 
> > > Huh. I didn't know that. Is there some reason why not? Is it the manual
> > > signing thing?
> > 
> > It's not actually just that though, due to the amount of churn, open ACL
> > lists, and so forth, I think you'd need to do a lot more before you
> > could go using rawhide for day-to-day stuff. Of course people more
> > trusting than myself will happily argue otherwise :)
> 
> Hmm. As far as I can see, signing Rawhide packages would still have
> value, in that it would prove that the package was created either by an
> approved maintainer of that package or by a Proven Packager, and was
> properly built through the official build system (it should, anyway, if
> the signing process is properly situated at the end of the above process
> and can't be accessed in any other way).

Yeah, still doesn't protect against the guy who introduces a new package
today that includes an updated configuration for my VPN client, or my
email client, or a host of other stuff I might be using and rely upon.

IMHO it's not the place of the development branch of a distribution to
provide the level of protection from such things. This is why I run my
tests mostly on old hardware or on virtual machines - I copy stuff into
the virtual machine, have only toy passwords on it, etc. It's not a
perfect protection, but I view it as a reasonable precaution against
"kitten consumption" or even malicious attempts to harm Fedora.

Jon.


-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux