[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Local users get to play root?

On Wed, 2009-11-18 at 14:49 -0800, Adam Williamson wrote:
> On Wed, 2009-11-18 at 10:52 -0800, Jesse Keating wrote:
> > On Wed, 2009-11-18 at 13:22 -0500, James Antill wrote:
> > > 
> > > 7. And the most obvious one ... how hard is it to get a bad package into
> > > one of the repos. that the machine has enabled. 
> > 
> > Right, PK is counting on this being sufficiently difficult enough to
> > prevent bad things from happening.  While I'd like to think that, and
> > would like to say that, I can't.
> I do not see how that's relevant, frankly. For it to be relevant it
> would have to be true to state that, if you need root privileges to
> install signed packages, it's absolutely no problem if a signed package
> is evil. Obviously, that's not at all true. An evil 'trusted' package
> would be a Very Bad Thing in any case. Whether you need to be root to
> install a trusted package or not is entirely orthogonal, as far as I can
> see.
> -- 
> Adam Williamson
> Fedora QA Community Monkey
> IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
> http://www.happyassassin.net

I'd like to point out that there are trusted packages that I wouldn't
want my users downloading.  John is a good example but there are others.

Anyone requested that CVE yet?


Attachment: signature.asc
Description: This is a digitally signed message part

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]