Neal Gompa wrote: > This is also the underlying reason why Red Hat has resisted > implementing signed repository metadata and enforcing it by default. > Of course this is a bit of a catch-22 as well, as there's no > motivation to find a solution because neither Fedora nor RHEL offer > signed repository metadata despite repeated calls for it over the past > decade. Is signed repository metadata not basically moot now that pretty much all the world has moved on from unencrypted HTTP to secure HTTPS? > Now, don't get me wrong: I'm personally extremely unhappy about having > to depend on the Sequoia stack for RPM PGP. I have a strong distaste > for the Rust community ecosystem these days, and I don't love the idea > of having to have LLVM in the core bootstrap chain (hopefully gcc-rs > will be in place soon enough!). The dependency on LLVM is not even the worst issue in my eyes. LLVM is also used by other core projects, e.g., mesa, these days. The worst issue I see with Rust is the way libraries are "packaged", which just implies installing source code and recompiling that source code for every single application. (And as a result, the output obviously gets statically linked into the application, with all the drawbacks of static linking.) I consider a language with no usable shared library support to be entirely unpackageable and hence entirely useless. And then of course there is the issue that it is yet another language with yet another syntax (and an only partially C-like one, so the learning curve is unnecessarily high), yet another library ecosystem, etc. C has been the de facto lingua franca all this time, now we are back into a tower-of-babel scenario with tons of programming languages, which will necessarily bloat the core system over time. > So here we are, in a subpar situation created by bad tools because > nobody cares enough about security anyway. Sounds like a mess indeed. Kevin Kofler _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue