On Sun, Apr 26, 2015 at 8:11 AM, Richard Z <rz@xxxxxxxxxxxxxx> wrote: > On Sun, Apr 26, 2015 at 01:14:03PM +0300, Pavel Alexeev wrote: >> 17.04.2015 07:41, Ralf Corsepius пишет: >> > On 04/17/2015 01:10 AM, Pavel Alexeev wrote: >> >> Hi >> >> >> >> 14.04.2015 05:20, Ralf Corsepius пишет: >> >>> On 04/14/2015 03:01 AM, Elder Marco wrote: >> >>> >> >>>> Ralf, plowshare is a command-line downloader/uploader for some of the >> >>>> most popular file-sharing websites. Each module (written in bash) >> >>>> corresponds to a different sharing site. The modules are >> >>>> downloaded via >> >>>> plowmod, from a oficial repository provided by upstream. >> >>> Well, as I said before, I do not like packages, which are doing so. >> >>> >> >>> I consider them to be a security and data privacy risk, but I am not >> >>> in a position to change upstreams nor users. >> >>> >> >>> My advise to users: Don't use such packages if you are concerned about >> >>> your data and your installations' security. >> >>> >> >> If package provide some basic modules and also utilities for user to >> >> manage update "channels" or repo in clean way, why not? >> > Why would you trust such "update channels" and the content they provide? >> > >> > Who tells me their site is trustworthy and not run or having been >> > taken over by a secret service, the Mafia or other criminals? >> > >> >> As was mentioned >> >> early many software do the same. >> > In Fedora? None that I am aware of, except of Mozilla, whose >> > plugins/addons basically suffer from the same issue. Nothing but >> > Mozilla itself prevents you from installing the "Nigerian Mafia" or >> > the "NSA-Trojan" add-ons. >> > >> >> Although we do not ship any external >> >> yum repos in rpm there clear way for users how to add others. >> > Correct. The rationale not to allow non-fedora repos in Fedora is >> > basically the same. >> What mean not to allow? You do not understand me. Not ship by default in >> distribution is not mean not allow. Repo-format well defined, >> yum-config-manager allow add repos. >> > >> >> And it may >> >> be much more security breach. >> > Well, instead of relying on Fedora shipping a fixed set of scripts >> > (which should have been reviewed and tested by the package maintainer >> > and protected from forgery with rpm), they want users to download >> > install arbitrary scripts from their site. >> Do you really think maintainer of any package may review all upstream >> commits to guarantee anything about upstream software state, quality or >> mallware presents? Off course we all want and try to do not bring bad >> things in Fedora, but really it mostly on upstream developer side >> happened what happened. > > the maintainer will not catch everything, but it is already a huge win > if everyone gets the same code from Fedora. > Makes it much harder to play MITM against individual users and if something > happens and several users have been shipped the same malicious code there is > a much better chance to investigate the damage properly if the code was packaged > than if the code was downloaded on the fly and everyone has his personalised/fuzzed > malware. > >> As pip, rybygems, maven do not forbidden download and install external >> dependencies I hope plowmod also may do that. > > would not want to forbid plowmod to install external dependencies but it > should be avoided as far as possible, certainly not the default behaviour. > > As of maven, I am also uncomfortable that it downloads gigabytes of stuff > from somehwere on the internet. Maximum obfuscation, minimum utility while > introducing security risks for no gain. > > Richard There are ways to make it more secure and robust. I've had difficulty explaining the problem to some maven advocates, and had to manfully restrain my "I Told You So" reflex when updates broke things. Perl and CPAN are, historically, worse, but a similar source of unexpected update depdnency conflicts. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
