-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/08/2014 02:57 PM, Kai Engert wrote: > On Mi, 2014-01-08 at 13:38 -0500, Stephen Gallagher wrote: >> I don't really see this being more likely than an existing >> application just bundling a wrapper script for certificate >> generation and 'update-ca-extract' and quietly running that as >> part of %post. Just as easy to miss and equally effective (with >> much less trouble). > > true > >> I don't think that we can really write policy that eliminates the >> risk of a determined abuse of the available technology. > > Probably. What do you think about adding a section to package > reviewing guidelines, which says that packages that add files to > the global CA directories should provide reasoning, and have > someone check that reasoning. It might at least make people aware > this is something to be careful with. > That seems perfectly reasonable to me. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLNrsEACgkQeiVVYja6o6MNFwCgnEsvPTGHq7sP4/X6egK5ezRm o+4AoK56OXwUSWVnExN6E6aBJf/krG2m =bPGB -----END PGP SIGNATURE----- -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
