clement is a yum repository?
Jean-Marc Pigeon
jmp at safe.ca
Thu Dec 21 21:59:19 UTC 2006
On Thu, 2006-12-21 at 16:48 -0500, Jesse Keating wrote:
> On Thursday 21 December 2006 16:41, Jean-Marc Pigeon wrote:
> > I am afraid saying "repos.d" is out of reach is too
> > self-centric. As Fedora cycle are very short this will
> > imply Fedora can't be use to run a real application server.
> > Sharing my feeling...
>
> The problem lies in dropping a repo that points to a location that Fedora
> doesn't control. We can't protect against that location being compromised
> and start sending out trojaned binaries to those who enable the repo. This
> is the same reason why 'live updates' of software apps are discouraged, again
> locations that Fedora doesn't control. For this reason alone I would
> discourage and vote against allowing any package to drop another repo in
> place, that wasn't a Fedora controlled repo.
Weak arguments.
- Package are signed...
- Package are not coming from 'nowhere' as included within
Fedora and supported by designer.
- Fedora binaries can be compromised too.
- On that count, looking everywhere to find an
up-to-date application is far less secure than going
to the application "reference" site.
The only point I can agree with is the fact it must be clear
such repos.d definition are NOT Fedora endorsed, but this is
not a technical issue.
>
More information about the fedora-extras-list
mailing list