[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Announcing rpmfusion



On 9/12/07, Nicolas Mailhot <nicolas mailhot laposte net> wrote:
> There is a difference between trusting a repo and trusting it to
> authorize other repos

This is a rat hole.  If repositories are going to maliciously add
additional repositories, then the packages from that repo can very
well do pretty much all sorts of malicious reconfiguration. I don't
see why repo configuration is any more sensitive than other package
payloads or scriptlet actions.  Hell you don't even need to add an
additional file all you need to do is add additional repository
definitions in the repo file you already provide. I simply don't
understand how you could protect a client system from a repository
that wanted to ensure that a new repository definition was installed
and enabled by default.

On top of that there are justifiable reasons to need to add additional
repo files and additional repository tags inside a repo file due to
repository re-organization.

-jef


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]