Nils Breunese (Lemonbit Internet) wrote:
Why would anyone who has updates enabled not want legacy updates
to be enabled?
From my perspective, I want to know *who* the updates are coming
from. In the case of Redhat updates, I know that there are
ISO-9001 procedures and policies in place as well as corporate
oversight and more importantly corporate responsibility (from a
legal point of view). From FL you generally (if not universally)
get good updates, however do you really really know what was in
that last ssh update that you got? While I am not so paranoid to
automatically suspect everything I download, I am paranoid enough
to try and understand the origin of what I download.
So...
1) what server should be used as the default update server
for out-of-the-box updates?
2) what policies, purview, scrutiny should that/those server
operators be put under and who will take responsibility
for enforcing this?
3) what legal disclaimers, and by what means, will alert
newbies that they are no longer getting official Redhat
updates?
Currently all three of the above issues are addressed individually
by users who manually configure their systems. This action is so
user intensive (visit website, cut-copy-paste yum.conf, download
and install yum, etc) that it isolates FL from legal
responsibility. All FL has to do to protect itself is not
intentionally post malicious code or instructions.