[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: yum 2.1.0



On Wed, 2004-09-01 at 10:25 -0400, seth vidal wrote:
> > It'd also be nice if yum supported 'temporary' repositories that were
> > passed to it on the command line or through library calls, so, for
> > example, an application RPM could include some meta-data pointing toa
> > repository containing dependencies, so users don't have to a) manually
> > add the repository to their yum.conf or b) manually download all the
> > dependencies.
> 
> It seems to me that a 'temporary' repository is a root kit waiting to
> happen.

It's no worse than users installing any other RPM.  If you don't trust
the source, don't use it.  Certainly with signed RPMs and a little bit
of clue on the part of the user unintentional installation of untrusted
packages can be avoided.  So long as you have someone who doesn't know
or doesn't care about good security, you're not going to stop them from
installing something malicious.

The temporary repository in this example would only be ever referenced
during the initial installation of the application RPM - if the vendor
of the RPM wanted to install malicious code, there is no reason for them
to put it in a separate package instead of just putting the code
directly in the app RPM.

> 
> -sv
> 
> 
> 
> 
-- 
Sean Middleditch <elanthis awesomeplay com>
AwesomePlay Productions, Inc.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]