Gregory Maxwell <gmaxwell@xxxxxxxxx> writes: > There are many kinds of security threat out there. For example, a few > dishonest > people within the fedora project could conspire to backdoor the heck out of > Fedora with a reasonable chance of not getting caught. Does this fact > mean that > we should not bother with signing packages or other security measures? I didn't suggest anything like that, did I? > Surely this would be preferable to reducing the security against > common casual threats. I'm not talking about reducing security. su, sudo are already suid root (on most systems at least, especially su). Yes, this is, or at least may be, a security risk. Admin entering root's password in insecure session to install software is another security risk. That obviously doesn't mean I want non-root users to install system software at will. I just say that when it comes to entering the root password (and/or installing system software), it should be done in a secure manner, preferably not from within user X session (unless the risk = the fact of user = root equivalency is explicitly and specifically understood and accepted). -- Krzysztof Halasa -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
