On 5/5/21 2:29 AM, Adam Williamson wrote:
If a third party wants to do something nefarious and can convince you to "install a repository" in some way, that means that at minimum they convinced you to drop an arbitrary file in /etc/yum.repos.d . What they probably did was convince you to install a package containing the repo definition, as that's the way most third party repos deploy. Well, that package could do*absolutely anything else at all* on your system with root privileges, because that's how packaging works.
Right, of course, but there are more possibilities between 'completely trustable repo' and 'totally evil repo'. We used to control the repos in the set likely to be used by most Fedora users, and managed them consistently. I assume that in the future there will be more repo diversity with all kinds of rules and little leverage to make them consistent, which would inevitably end up in confusion.
Essentially, now the package names are in a global name space, which, as we remember from the programming languages history, tends to be problematic.
I liked Daniel Mach's ideas about vendor-lock and how it might actually be a way to re-implement modularity. I think they would create implicit namespaces that would mitigate the above concerns.
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
