On Wed, Nov 8, 2017 at 7:18 PM, Stephen John Smoogen <smooge@xxxxxxxxx> wrote:
> On 8 November 2017 at 13:50, Peter Robinson <pbrobinson@xxxxxxxxx> wrote:
>> On Wed, Nov 8, 2017 at 6:47 PM, Zbigniew Jędrzejewski-Szmek
>> <zbyszek@xxxxxxxxx> wrote:
>>> On Wed, Nov 08, 2017 at 05:58:13PM +0000, Stephen Gallagher wrote:
>>>> On Wed, Nov 8, 2017 at 10:53 AM Zbigniew Jędrzejewski-Szmek <
>>>> zbyszek@xxxxxxxxx> wrote:
>>>>
>>>> > On Wed, Nov 08, 2017 at 03:23:37PM +0000, Peter Robinson wrote:
>>>> > > On Wed, Nov 8, 2017 at 2:56 PM, Zbigniew Jędrzejewski-Szmek
>>>> > > <zbyszek@xxxxxxxxx> wrote:
>>>> > > > But why? _Any_ package can completely screw up the system with a bad
>>>> > > > scriplet or a dependency. Let's take one step back and consider why a
>>>> > > > package would need special protections: only when there's something
>>>> > > > _tricky_ about the package. We have such special protections for the
>>>> > > > kernel (signing), firefox (trademarks), and for bootloaders (signing
>>>> > again),
>>>> > >
>>>> > > Well the fedora-release package could be arguably open to trademark.
>>>> >
>>>> > Hmm, Fedora as such certainly. But fedora-release itself I don't think so.
>>>> > It has a
>>>> > /usr/share/licenses/fedora-release/{Fedora-Legal-README.txt,LICENSE}
>>>> > which shouldn't be touched, as in any other package, but apart from
>>>> > that it's just a bunch of text files.
>>>> >
>>>> >
>>>> Well, there are a number of places where changing the contents of those
>>>> text files can have a significant adverse effect on the distribution. In
>>>> particular, many packages rely on the ID=, ID_LIKE=, and VARIANT_ID= fields
>>>> in os-release to make decisions. Changing those without an understanding of
>>>> what might break would be dangerous. I think that's a good argument for
>>>> keeping this package under tighter control.
>>>
>>> That'd have to be a malicious change. So either a maintainer of fedora-release
>>> or a proven packager would have to try to intentionally break the system.
>>> It's not something I'd worry about.
>>
>> We've had issues with this from experienced people so you might not
>> worry about it but you're also not the one people will scream at.
>> _______________________________________________
>> devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
>> To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
>
> And most of the time it has not been malicious. It was "I need this to
> fix my thing and it can't break anything since I tested it on my box".
> It has happened enough times that it isn't something to be considered
> a "never will happen again" because it is usually someone else needing
> something fixed for a deadline and their brain circuits shortcutting
> because of it.
Correct, sorry if my response wasn't clear, there has never been, as
far as I've been aware, any malicious intention. It's mostly that the
Fedora project is large and people test things in their view of the
Fedora world, and in those contexts it's perfect, but the impact on
other desktops/architectures/virt platforms etc sometimes needs
perspective/history or more importantly knowing who you need to double
check with.
Peter
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
