On Wed, Dec 05, 2012 at 03:20:14PM -0500, Bill Nottingham wrote: > * 960 - F18 schedule + the holidays (notting, 18:50:29) > * LINK: https://fedoraproject.org/wiki/JaroslavReznik/FedupF18Final - > not updated yet (jreznik, 18:58:15) > * AGREED: Do not block on fedup signature checking (not a regression) > (+:7, -:0, 0:0) (notting, 19:08:47) how is not providing a supported way to do secure upgrade of Fedora not a regression? It is a big disappointment that Fedora is more and more turning its back on security. If I remember correctly, Fedora was one of the leading distributions providing and using signed packages. But with time this is more and more invalidated and people are more and more expected to install unsigned packages or not to verify them. At least back in 2010 malicious mirrors were still acknowledged as a security risk for Fedora users and signed packages were mentioned as a counter measure: https://fedoraproject.org/wiki/Mirror_manager_security_risks How come it became less important now? Actually it is even easier to attack users as more and more mobile devices are used. And what is even worse, the whole problem of not verifying packages on upgrade or the upgrade image itself is not even prominently communicated. There is nothing in the release notes about this: http://docs.fedoraproject.org/en-US/Fedora/18/html/Release_Notes/sect-Release_Notes-Changes_for_Sysadmin.html#idm32350976 I am very disappointed about this and I think this this a bad decission. :-( Regards Till -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
