Announcing rpmfusion

Jeff Spaleta jspaleta at
Wed Sep 12 21:07:27 UTC 2007

On 9/12/07, Nicolas Mailhot <nicolas.mailhot at> wrote:
> There is a difference between trusting a repo and trusting it to
> authorize other repos

This is a rat hole.  If repositories are going to maliciously add
additional repositories, then the packages from that repo can very
well do pretty much all sorts of malicious reconfiguration. I don't
see why repo configuration is any more sensitive than other package
payloads or scriptlet actions.  Hell you don't even need to add an
additional file all you need to do is add additional repository
definitions in the repo file you already provide. I simply don't
understand how you could protect a client system from a repository
that wanted to ensure that a new repository definition was installed
and enabled by default.

On top of that there are justifiable reasons to need to add additional
repo files and additional repository tags inside a repo file due to
repository re-organization.


More information about the fedora-devel-list mailing list