On Mon, Jun 14, 2021 at 8:35 PM Gordon Messmer <gordon.messmer@xxxxxxxxx> wrote: > > On 6/14/21 5:11 PM, Neal Gompa wrote: > > On Mon, Jun 14, 2021 at 8:02 PM Gordon Messmer <gordon.messmer@xxxxxxxxx> wrote: > >> https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 > > It's not terribly different from how organizations may have private > > Python package indexes that may use whatever names they want for > > Python software they build and release. > > > Yes, that was my point. That's exactly how Alex Birsan was able to > infiltrate and exploit "dozens" of tech companies. That only worked because public was default, not private. That's not how it works for Fedora packages at all. -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
