Fedora News Updates #1

Rui Miguel Seabra rms at 1407.org
Wed Jan 7 11:43:28 UTC 2004


On Wed, 2004-01-07 at 11:39, Andy Green wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Wednesday 07 January 2004 11:12, Rui Miguel Seabra wrote:
> 
> > I hope Fedora News stops instructing newbies to use root for anything
> > (including making RPMS from software obtained without any checks).
> >
> > If people start getting used to do it, pretty soon now we'll have
> > viruses. No, seriously.
> 
> This is the tip of an iceberg.  For example, how many binary RPMs have we 
> installed on our machines, signed or unsigned?  Its possible that the 
> signer's machines were compromised, or upstream sources attacked and then the 
> results signed... and we have to install RPMs as root, so the scripts inside 
> them run as root... for unsigned RPMs you are forced to trust the packager's 
> good faith.

Of course, but Fedora News is giving very dangerous instructions that
should never be given (and they really don't need to be given since
there are safer ways to do it).

With root you have no luck if configure has something like:
   install & execute virus

or rm -fr /, or mke2fs /dev/hda etc....

That's is some seriously bad advice.

Rui

-- 
+ No matter how much you do, you never do enough -- unknown
+ Whatever you do will be insignificant,
| but it is very important that you do it -- Gandhi
+ So let's do it...?

Please AVOID sending me WORD, EXCEL or POWERPOINT attachments.
See http://www.fsf.org/philosophy/no-word-attachments.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040107/2b1c72d7/attachment-0001.sig>


More information about the fedora-list mailing list