[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: FC5 and Yum Plugins



On Sat, Dec 31, 2005 at 04:43:16PM +0100, Ralf Ertzinger wrote:
> On Sat, Dec 31, 2005 at 04:20:25PM +0100, Axel Thimm wrote:
> 
> > > I dont have any handy now but ask anyone who hangs out in #fedora for 
> > > more than a week for the horror stories.
> > 
> > Objection, your honor, hear-say.
> 
> Well, you do not really make the case that replacing core packages with third
> party ones makes tracking down bugs for FC/FE any easier, do you?

Please show first that there is a case here at all. The discussion is
the same for three years now, and it is still an academic one. Plase
find some reported bugs in the hundred thousand bugzillas there that
was really hindered by third party packaging at ATrpms.

> I think that if this extension is made part of core it should, by default, be
> on. Just because all sensible security measures should default to on. And
> I do consider protection against core package replacement a security measure.

You're my man! I really waited for this argument to come. So what
about non-replacing kernel module packages? And new daemons that
selinux doesn't even know about? Packages ripping open your ports to
the world w/o having to replace any single package?

It is very true, if you are a security paranoid, you should avoid
replacement packages, but you should avoid the rest, too.

And if you are concerned with system stability, first thing you should
ban are packages introducing new kernel modules.

Funny that noone cares about that. So security and stability are
obviously not the main argument for soem people advising against some
repos. I'll remain on the standpoint that there are still politics
going on, and if the repos in question like ATrpms, kde-redhat etc
would succumb to a pinful split of their repos or introduce any other
time comsuming effort to shut down these arguments new ones will pop
up. As a forecast:

o Don't use third party repos due to repository mixing problems (->
  argument three years ago, now show to be a neglidible problem ...)
o don't use repo that replace packages (current pet argument for
  repository mobbing)
o Third party repositories don't have enough security in place to be
  trusted (future argument)
o <make up your furture argument here>

The point I want to make is: There was a differing of opinions some
years back known to the elder users here. I was hoping that this had
come to rest and we would get forward, but there is still a core that
tries to sabotage 3rd party repos (not explicitly anyone on this
thread!) by spreading FUD and mischief about 3rd party repos. Any
distinguishing mark found that could be attacked will be, trust me.

Just to make it clear: If anyone wants to invest his/her time in
getting a better ATrpms should go ahead and do so. Same for any other
attacked repo. That's the way OSS works, right? Maybe he or she will
come back with a changed point of view, or even better find a better
way to please them all.

> If people want that, they ought to have to make that active decision
> and have to flip the switch in order to do so.

They do by configuring their depsolver to trust that repo in any way,
either by replacement packages, new daemons, new kernel modules and
for not shipping Trojan rpms.

> And, btw, this has nothing at all to do with the quality of the
> atrpms packages.


-- 
Axel.Thimm at ATrpms.net

Attachment: pgpkbMMTQGGTd.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]