On Thu, 2021-05-06 at 14:40 -0400, przemek klosowski via devel wrote: > On 5/5/21 2:29 AM, Adam Williamson wrote: > > > If a third party wants to do > > something nefarious and can convince you to "install a repository" in > > some way, that means that at minimum they convinced you to drop an > > arbitrary file in /etc/yum.repos.d . What they probably did was > > convince you to install a package containing the repo definition, as > > that's the way most third party repos deploy. Well, that package could > > do*absolutely anything else at all* on your system with root > > privileges, because that's how packaging works. > > Right, of course, but there are more possibilities between 'completely > trustable repo' and 'totally evil repo'. We used to control the repos in > the set likely to be used by most Fedora users, and managed them > consistently. I assume that in the future there will be more repo > diversity with all kinds of rules and little leverage to make them > consistent, which would inevitably end up in confusion. Really? I mean, third party repos have been around forever. It's not like they're a new thing. I'm not really opposing any sensible improvements here, I'm just not seeing the same clear story as you are here? Why do you think there are going to be a lot more third party repos used in future? -- Adam Williamson Fedora QA IRC: adamw | Twitter: adamw_ha https://www.happyassassin.net _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure