On Mon, August 22, 2005 3:06 pm, Michael Schwendt said: > With emphasis on "_securely_". > > Just like you don't want to click a link and see an .exe file execute and > start downloading and installing something, you don't want automated > installation of Yum repositories. _Any_ repository out there could add > itself to your configuration with a single click and provide packages > which replace Core files. Adding real security in this area requires much > more than asking the user for confirmation. For now, adding Yum repo > entries with something like "rpm -ivh > http://.../foo-release-4-1.noarch.rpm"; > and letting Yum install the included GPG key should be easy enough even if > it implies that some users probably trust some repositories blindly, > because those users focus on simplicity instead of security. Would be nice to avoid the need for the command line. Wouldn't a simple popup having a boilerplate warning and the description extracted from the rpm be sufficient? If not, what else is needed? Remember this is about generic rpm installation of any program, not just rpms containing repo entries. I suppose there should be a more verbose warning message if the rpm isn't signed with a trusted key but beyond that how much more "secure" can you make it? Sean -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-devel-list
