[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: clement is a yum repository?



On Thu, 2006-12-21 at 16:48 -0500, Jesse Keating wrote:
> On Thursday 21 December 2006 16:41, Jean-Marc Pigeon wrote:
> >         I am afraid saying "repos.d" is out of reach is too
> >         self-centric. As Fedora cycle are very short this will
> >         imply Fedora can't be use to run a real application server.
> >         Sharing my feeling...
> 
> The problem lies in dropping a repo that points to a location that Fedora 
> doesn't control.  We can't protect against that location being compromised 
> and start sending out trojaned binaries to those who enable the repo.  This 
> is the same reason why 'live updates' of software apps are discouraged, again 
> locations that Fedora doesn't control.  For this reason alone I would 
> discourage and vote against allowing any package to drop another repo in 
> place, that wasn't a Fedora controlled repo.

	Weak arguments.
	- Package are signed...
	- Package are not coming from 'nowhere' as included within
	  Fedora and supported by designer.
	- Fedora binaries can be compromised too.
	- On that count, looking everywhere to find an
	  up-to-date application is far less secure than going
	  to the application "reference" site. 
	
	The only point I can agree with is the fact it must be clear
	such repos.d definition are NOT Fedora endorsed, but this is
	not a technical issue. 
> 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]