On Wed, 2004-09-01 at 10:25 -0400, seth vidal wrote: > > It'd also be nice if yum supported 'temporary' repositories that were > > passed to it on the command line or through library calls, so, for > > example, an application RPM could include some meta-data pointing toa > > repository containing dependencies, so users don't have to a) manually > > add the repository to their yum.conf or b) manually download all the > > dependencies. > > It seems to me that a 'temporary' repository is a root kit waiting to > happen. It's no worse than users installing any other RPM. If you don't trust the source, don't use it. Certainly with signed RPMs and a little bit of clue on the part of the user unintentional installation of untrusted packages can be avoided. So long as you have someone who doesn't know or doesn't care about good security, you're not going to stop them from installing something malicious. The temporary repository in this example would only be ever referenced during the initial installation of the application RPM - if the vendor of the RPM wanted to install malicious code, there is no reason for them to put it in a separate package instead of just putting the code directly in the app RPM. > > -sv > > > > -- Sean Middleditch <elanthis@xxxxxxxxxxxxxxx> AwesomePlay Productions, Inc.
