Ralf Corsepius wrote:
On Sun, 2008-10-12 at 14:27 +0530, Rahul Sundaram wrote:
Hi,
The PackageKit warning for every single unsigned package - which happens
to be everything in rawhide is just plain annoying. Can't we do
something nice about that?
The rationale for exposing users to the risks of using unsigned packages
has always escaped me, even less in the light of "The incident".
I.e. IMO, the "only correct approach" would be to only have signed
packages in rawhide.
I rarely find common ground with you but in this instance, I completely
agree. Is time delay the reason behind not signing packages? There is a
pretty big difference between unstable or development software packages
and potentially trojaned ones. This is not just for rawhide. Many of us
including me run rawhide for a large time of the Fedora development
cycle, a security exploit in one of our machines via a bad rawhide
mirror can result in malicious packages being pushed to stable
repositories or other even worse issues. We should take this attack
vector seriously.
Rahul
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
