On Sat, Dec 31, 2005 at 04:43:16PM +0100, Ralf Ertzinger wrote: > On Sat, Dec 31, 2005 at 04:20:25PM +0100, Axel Thimm wrote: > > > > I dont have any handy now but ask anyone who hangs out in #fedora for > > > more than a week for the horror stories. > > > > Objection, your honor, hear-say. > > Well, you do not really make the case that replacing core packages with third > party ones makes tracking down bugs for FC/FE any easier, do you? Please show first that there is a case here at all. The discussion is the same for three years now, and it is still an academic one. Plase find some reported bugs in the hundred thousand bugzillas there that was really hindered by third party packaging at ATrpms. > I think that if this extension is made part of core it should, by default, be > on. Just because all sensible security measures should default to on. And > I do consider protection against core package replacement a security measure. You're my man! I really waited for this argument to come. So what about non-replacing kernel module packages? And new daemons that selinux doesn't even know about? Packages ripping open your ports to the world w/o having to replace any single package? It is very true, if you are a security paranoid, you should avoid replacement packages, but you should avoid the rest, too. And if you are concerned with system stability, first thing you should ban are packages introducing new kernel modules. Funny that noone cares about that. So security and stability are obviously not the main argument for soem people advising against some repos. I'll remain on the standpoint that there are still politics going on, and if the repos in question like ATrpms, kde-redhat etc would succumb to a pinful split of their repos or introduce any other time comsuming effort to shut down these arguments new ones will pop up. As a forecast: o Don't use third party repos due to repository mixing problems (-> argument three years ago, now show to be a neglidible problem ...) o don't use repo that replace packages (current pet argument for repository mobbing) o Third party repositories don't have enough security in place to be trusted (future argument) o <make up your furture argument here> The point I want to make is: There was a differing of opinions some years back known to the elder users here. I was hoping that this had come to rest and we would get forward, but there is still a core that tries to sabotage 3rd party repos (not explicitly anyone on this thread!) by spreading FUD and mischief about 3rd party repos. Any distinguishing mark found that could be attacked will be, trust me. Just to make it clear: If anyone wants to invest his/her time in getting a better ATrpms should go ahead and do so. Same for any other attacked repo. That's the way OSS works, right? Maybe he or she will come back with a changed point of view, or even better find a better way to please them all. > If people want that, they ought to have to make that active decision > and have to flip the switch in order to do so. They do by configuring their depsolver to trust that repo in any way, either by replacement packages, new daemons, new kernel modules and for not shipping Trojan rpms. > And, btw, this has nothing at all to do with the quality of the > atrpms packages. -- Axel.Thimm at ATrpms.net
Attachment:
pgpvwpXv3fpSb.pgp
Description: PGP signature
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
