17.04.2015 07:41, Ralf Corsepius пишет: > On 04/17/2015 01:10 AM, Pavel Alexeev wrote: >> Hi >> >> 14.04.2015 05:20, Ralf Corsepius пишет: >>> On 04/14/2015 03:01 AM, Elder Marco wrote: >>> >>>> Ralf, plowshare is a command-line downloader/uploader for some of the >>>> most popular file-sharing websites. Each module (written in bash) >>>> corresponds to a different sharing site. The modules are >>>> downloaded via >>>> plowmod, from a oficial repository provided by upstream. >>> Well, as I said before, I do not like packages, which are doing so. >>> >>> I consider them to be a security and data privacy risk, but I am not >>> in a position to change upstreams nor users. >>> >>> My advise to users: Don't use such packages if you are concerned about >>> your data and your installations' security. >>> >> If package provide some basic modules and also utilities for user to >> manage update "channels" or repo in clean way, why not? > Why would you trust such "update channels" and the content they provide? > > Who tells me their site is trustworthy and not run or having been > taken over by a secret service, the Mafia or other criminals? > >> As was mentioned >> early many software do the same. > In Fedora? None that I am aware of, except of Mozilla, whose > plugins/addons basically suffer from the same issue. Nothing but > Mozilla itself prevents you from installing the "Nigerian Mafia" or > the "NSA-Trojan" add-ons. > >> Although we do not ship any external >> yum repos in rpm there clear way for users how to add others. > Correct. The rationale not to allow non-fedora repos in Fedora is > basically the same. What mean not to allow? You do not understand me. Not ship by default in distribution is not mean not allow. Repo-format well defined, yum-config-manager allow add repos. > >> And it may >> be much more security breach. > Well, instead of relying on Fedora shipping a fixed set of scripts > (which should have been reviewed and tested by the package maintainer > and protected from forgery with rpm), they want users to download > install arbitrary scripts from their site. Do you really think maintainer of any package may review all upstream commits to guarantee anything about upstream software state, quality or mallware presents? Off course we all want and try to do not bring bad things in Fedora, but really it mostly on upstream developer side happened what happened. As pip, rybygems, maven do not forbidden download and install external dependencies I hope plowmod also may do that. > > IMO, they are implementing a carte-blanche to trojans, malware and > espionage. > > Ralf > > > -- With best wishes, Pavel Alexeev (aka Pahan-Hubbitus). For fast contact with me use jabber: Hubbitus@xxxxxxxxx -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
