[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Package warning - Rawhide



Ralf Corsepius wrote:
On Sun, 2008-10-12 at 14:27 +0530, Rahul Sundaram wrote:
Hi,

The PackageKit warning for every single unsigned package - which happens to be everything in rawhide is just plain annoying. Can't we do something nice about that?
The rationale for exposing users to the risks of using unsigned packages
has always escaped me, even less in the light of "The incident".

I.e. IMO, the "only correct  approach" would be to only have signed
packages in rawhide.

I rarely find common ground with you but in this instance, I completely agree. Is time delay the reason behind not signing packages? There is a pretty big difference between unstable or development software packages and potentially trojaned ones. This is not just for rawhide. Many of us including me run rawhide for a large time of the Fedora development cycle, a security exploit in one of our machines via a bad rawhide mirror can result in malicious packages being pushed to stable repositories or other even worse issues. We should take this attack vector seriously.

Rahul


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]