On 12/08/2017 06:48 PM, Adam Williamson wrote:
On Fri, 2017-12-08 at 10:45 -0600, Michael Cronenworth wrote:
On 12/08/2017 10:40 AM, Steve Dickson wrote:
You are telling me there hundreds of people that have complete
control over all the packages in fedora with no boundaries???
They can do anything they what??? Wow...
Not really. There are a handful of packages that are protected. I tried to push a
grub2 update for a change that maintainers ignored for years. I couldn't create
updates in Bodhi and my rawhide build, although successful, was not properly signed
for release to the repos.
The whole boot chain is restricted in this way due to Secure Boot,
basically; we have to restrict who is allowed to build boot chain
packages to satisfy requirements of the Secure Boot signing program.
I'm not in any special Fedora group and I can build and tag glibc, so
whatever protection is in place (if any is at all), it is very limited
at best.
(While glibc is not itself part of the boot chain, it is part of its
build process, and thus among of the trusted set of packages.)
Florian
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
