PackageKit Misconceptions
Richard Hughes
hughsient at gmail.com
Wed Aug 22 17:40:39 UTC 2007
On 22/08/07, Jesse Keating <jkeating at redhat.com> wrote:
> Also it's easy enough to install some piece of software off the net
> that drops a yum repo file in place and starts handing you packages
> from another repo. You should get the opportunity to confirm your
> trust in this repo before it starts replacing all kinds of packages in
> your system..
> (now said packages that drop a repo file could just easily set
> gpgcheck=no and bypass all the trust issues, but that's neither here
> nor there)
I think it is very important actually. If a malicious package is
putting files in random places as the root user (installing a package
manually using rpm) then we've essentially lost security on the system
as far as I'm concerned.
You could take this argument one step further and a malicious package
could be designed to patch yum/rpm to not do the gpg checks.
Richard.
More information about the Fedora-desktop-list
mailing list