przemek klosowski via devel <devel@xxxxxxxxxxxxxxxxxxxxxxx> writes: > Is that something we need to worry about? I couldn't think of any new > rules to impose on repositories, but maybe dnf should have more explicit > warnings when it sees multiple versions of the same package, or at least > a way to show such versions. Or how about teaching dnf that only certain repositories are allowed to be used for updates (with an allowedlist for exceptions)? Then microsoft or any other third party repo could put hello-5000-1 into their repo and it could never compromise your system, as dnf would not consider the 3rd party repo a valid update repo for a base system package. That would require dnf to track where it got the package from though and I am not sure if it does that at the moment? Cheers, Dan
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
