On 8 November 2017 at 13:50, Peter Robinson <pbrobinson@xxxxxxxxx> wrote:
> On Wed, Nov 8, 2017 at 6:47 PM, Zbigniew Jędrzejewski-Szmek
> <zbyszek@xxxxxxxxx> wrote:
>> On Wed, Nov 08, 2017 at 05:58:13PM +0000, Stephen Gallagher wrote:
>>> On Wed, Nov 8, 2017 at 10:53 AM Zbigniew Jędrzejewski-Szmek <
>>> zbyszek@xxxxxxxxx> wrote:
>>>
>>> > On Wed, Nov 08, 2017 at 03:23:37PM +0000, Peter Robinson wrote:
>>> > > On Wed, Nov 8, 2017 at 2:56 PM, Zbigniew Jędrzejewski-Szmek
>>> > > <zbyszek@xxxxxxxxx> wrote:
>>> > > > But why? _Any_ package can completely screw up the system with a bad
>>> > > > scriplet or a dependency. Let's take one step back and consider why a
>>> > > > package would need special protections: only when there's something
>>> > > > _tricky_ about the package. We have such special protections for the
>>> > > > kernel (signing), firefox (trademarks), and for bootloaders (signing
>>> > again),
>>> > >
>>> > > Well the fedora-release package could be arguably open to trademark.
>>> >
>>> > Hmm, Fedora as such certainly. But fedora-release itself I don't think so.
>>> > It has a
>>> > /usr/share/licenses/fedora-release/{Fedora-Legal-README.txt,LICENSE}
>>> > which shouldn't be touched, as in any other package, but apart from
>>> > that it's just a bunch of text files.
>>> >
>>> >
>>> Well, there are a number of places where changing the contents of those
>>> text files can have a significant adverse effect on the distribution. In
>>> particular, many packages rely on the ID=, ID_LIKE=, and VARIANT_ID= fields
>>> in os-release to make decisions. Changing those without an understanding of
>>> what might break would be dangerous. I think that's a good argument for
>>> keeping this package under tighter control.
>>
>> That'd have to be a malicious change. So either a maintainer of fedora-release
>> or a proven packager would have to try to intentionally break the system.
>> It's not something I'd worry about.
>
> We've had issues with this from experienced people so you might not
> worry about it but you're also not the one people will scream at.
> _______________________________________________
> devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
And most of the time it has not been malicious. It was "I need this to
fix my thing and it can't break anything since I tested it on my box".
It has happened enough times that it isn't something to be considered
a "never will happen again" because it is usually someone else needing
something fixed for a deadline and their brain circuits shortcutting
because of it.
--
Stephen J Smoogen.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
