On 11/18/2009 05:14 PM, Richard Hughes wrote:
2009/11/18 Jeff Garzik<jgarzik@xxxxxxxxx>:
How little social engineering + virus automation does it take to get such an
install to include a malicious 3rd party repo?
You need the root password to install from repos not signed by a key
previously imported, or if the package signature is wrong.
You forget we have botnets doing distributed cracking now.
Fedora just opened up a huge attack vector, for the users who are least
equipped to understand the consequences.
And this enormous security hole of a policy change was done with next to
/zero/ communication, making it likely that many admins will not even
know they are vulnerable until their kids install a bunch of unwanted
packages.
Jeff
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
