[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Local users get to play root?



On Wed, 2009-11-18 at 10:52 -0800, Jesse Keating wrote:
> On Wed, 2009-11-18 at 13:22 -0500, James Antill wrote:
> > 
> > 7. And the most obvious one ... how hard is it to get a bad package into
> > one of the repos. that the machine has enabled. 
> 
> Right, PK is counting on this being sufficiently difficult enough to
> prevent bad things from happening.  While I'd like to think that, and
> would like to say that, I can't.

I do not see how that's relevant, frankly. For it to be relevant it
would have to be true to state that, if you need root privileges to
install signed packages, it's absolutely no problem if a signed package
is evil. Obviously, that's not at all true. An evil 'trusted' package
would be a Very Bad Thing in any case. Whether you need to be root to
install a trusted package or not is entirely orthogonal, as far as I can
see.

-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]