On Thu, 2006-12-21 at 16:48 -0500, Jesse Keating wrote: > On Thursday 21 December 2006 16:41, Jean-Marc Pigeon wrote: > > I am afraid saying "repos.d" is out of reach is too > > self-centric. As Fedora cycle are very short this will > > imply Fedora can't be use to run a real application server. > > Sharing my feeling... > > The problem lies in dropping a repo that points to a location that Fedora > doesn't control. We can't protect against that location being compromised > and start sending out trojaned binaries to those who enable the repo. This > is the same reason why 'live updates' of software apps are discouraged, again > locations that Fedora doesn't control. For this reason alone I would > discourage and vote against allowing any package to drop another repo in > place, that wasn't a Fedora controlled repo. Weak arguments. - Package are signed... - Package are not coming from 'nowhere' as included within Fedora and supported by designer. - Fedora binaries can be compromised too. - On that count, looking everywhere to find an up-to-date application is far less secure than going to the application "reference" site. The only point I can agree with is the fact it must be clear such repos.d definition are NOT Fedora endorsed, but this is not a technical issue. > -- fedora-extras-list mailing list fedora-extras-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-extras-list
