On Mon, 03 Aug 2015 05:53:15 +0200 Kevin Kofler <kevin.kofler@xxxxxxxxx> wrote: > Kevin Fenzi wrote: > > * There could be some nasty issues with keeping known > > vulnerable/broken packages around. ie, foo-1.0 has a severe > > security bug, foo-1.1 fixes it. You now just need to trick someone > > into downgrading or directly installing foo-1.0 (which is in normal > > repos and signed and completely valid looking). > > But there are plenty of even older packages in the GA repository, > also signed with the same key. Sure, but this increases the exposure. kevin
Attachment:
pgpJqofesaKLQ.pgp
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
