KDE RedHat project

Sean seanlkml at sympatico.ca
Mon Aug 22 20:00:37 UTC 2005


On Mon, August 22, 2005 3:06 pm, Michael Schwendt said:

> With emphasis on "_securely_".
>
> Just like you don't want to click a link and see an .exe file execute and
> start downloading and installing something, you don't want automated
> installation of Yum repositories. _Any_ repository out there could add
> itself to your configuration with a single click and provide packages
> which replace Core files. Adding real security in this area requires much
> more than asking the user for confirmation. For now, adding Yum repo
> entries with something like "rpm -ivh
> http://.../foo-release-4-1.noarch.rpm"
> and letting Yum install the included GPG key should be easy enough even if
> it implies that some users probably trust some repositories blindly,
> because those users focus on simplicity instead of security.

Would be nice to avoid the need for the command line.   Wouldn't a simple
popup having a boilerplate warning and the description extracted from the
rpm be sufficient?   If not, what else is needed?   Remember this is about
generic rpm installation of any program, not just rpms containing repo
entries.   I suppose there should be a more verbose warning message if the
rpm isn't signed with a trusted key but beyond that how much more "secure"
can you make it?

Sean





More information about the fedora-devel-list mailing list