Package warning - Rawhide
Rahul Sundaram
sundaram at fedoraproject.org
Sun Oct 12 09:27:30 UTC 2008
Ralf Corsepius wrote:
> On Sun, 2008-10-12 at 14:27 +0530, Rahul Sundaram wrote:
>> Hi,
>>
>> The PackageKit warning for every single unsigned package - which happens
>> to be everything in rawhide is just plain annoying. Can't we do
>> something nice about that?
> The rationale for exposing users to the risks of using unsigned packages
> has always escaped me, even less in the light of "The incident".
>
> I.e. IMO, the "only correct approach" would be to only have signed
> packages in rawhide.
I rarely find common ground with you but in this instance, I completely
agree. Is time delay the reason behind not signing packages? There is a
pretty big difference between unstable or development software packages
and potentially trojaned ones. This is not just for rawhide. Many of us
including me run rawhide for a large time of the Fedora development
cycle, a security exploit in one of our machines via a bad rawhide
mirror can result in malicious packages being pushed to stable
repositories or other even worse issues. We should take this attack
vector seriously.
Rahul
More information about the fedora-devel-list
mailing list