[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PackageKit policy: background and plans



Gregory Maxwell <gmaxwell gmail com> writes:

> There are many kinds of security threat out there. For example, a few
> dishonest
> people within the fedora project could conspire to backdoor the heck out of
> Fedora with a reasonable chance of not getting caught.  Does this fact
> mean that
> we should not bother with signing packages or other security measures?

I didn't suggest anything like that, did I?

> Surely this would be preferable to reducing the security against
> common casual threats.

I'm not talking about reducing security. su, sudo are already suid root
(on most systems at least, especially su). Yes, this is, or at least may
be, a security risk. Admin entering root's password in insecure session
to install software is another security risk. That obviously doesn't
mean I want non-root users to install system software at will.

I just say that when it comes to entering the root password (and/or
installing system software), it should be done in a secure manner,
preferably not from within user X session (unless the risk = the fact
of user = root equivalency is explicitly and specifically understood
and accepted).
-- 
Krzysztof Halasa


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]