Package warning - Rawhide

Rahul Sundaram sundaram at fedoraproject.org
Sun Oct 12 09:27:30 UTC 2008


Ralf Corsepius wrote:
> On Sun, 2008-10-12 at 14:27 +0530, Rahul Sundaram wrote:
>> Hi,
>>
>> The PackageKit warning for every single unsigned package - which happens 
>> to be everything in rawhide is just plain annoying. Can't we do 
>> something nice about that?
> The rationale for exposing users to the risks of using unsigned packages
> has always escaped me, even less in the light of "The incident".
> 
> I.e. IMO, the "only correct  approach" would be to only have signed
> packages in rawhide.

I rarely find common ground with you but in this instance, I completely 
agree. Is time delay the reason behind not signing packages? There is a 
pretty big difference between unstable or development software packages 
and potentially trojaned ones. This is not just for rawhide. Many of us 
including me run rawhide for a large time of the Fedora development 
cycle, a security exploit in one of our machines via a bad rawhide 
mirror can result in malicious packages being pushed to stable 
repositories or other even worse issues. We should take this attack 
vector seriously.

Rahul




More information about the fedora-devel-list mailing list