Fedora News Updates #1

Rui Miguel Seabra rms at 1407.org
Wed Jan 7 13:22:12 UTC 2004 

What you're saying is totally bogus. It's like saying that because there
are other ways to fall down the stairs, let's not teach one way of not
falling down the stairs.

That has got to be the most ridiculous kind of argument in defense of
bad advice I've ever seen.

If you only use root for when you really need to, then the probability
that you will have problems falls down by several orders of magnitude.

Most Fedora user will run software from reasonable sources, which have
the humanely possible community resources to review software.

up2date and yum and other meta packagers should simply refuse to install
unsigned packages unless forced to. Fedora Core packages do have to be
signed, anyway.

Should we just do like Lindows and run everything as root? We might just
as well.

Rui

On Wed, 2004-01-07 at 12:58, Andy Green wrote:
> Couldn't agree more... but the original point is that railing against doing a 
> make as root is not going to solve anything when we are daily installing RPMs 
> as root, signed or unsigned.  And as you point out, the signature is only an 
> assurance that at some point the package was processed by somebody who had 
> that private key.... it doesn't have anything to say about the untaintedness 
> of the sources -- or the security of the signer's machines and key.
> 
> Unless you undertake to scour sources personally and install by compile only 
> - -- something most people would reasonably consider an impossible burden -- 
> you take on a risk by using binary packages, and its hard to see what can be 
> done to mitigate that, especially when attacks inside RPM scripts could be 
> very subtle and indirect.

-- 
+ No matter how much you do, you never do enough -- unknown
+ Whatever you do will be insignificant,
| but it is very important that you do it -- Gandhi
+ So let's do it...?

Please AVOID sending me WORD, EXCEL or POWERPOINT attachments.
See http://www.fsf.org/philosophy/no-word-attachments.html
-- 
+ No matter how much you do, you never do enough -- unknown
+ Whatever you do will be insignificant,
| but it is very important that you do it -- Gandhi
+ So let's do it...?

Please AVOID sending me WORD, EXCEL or POWERPOINT attachments.
See http://www.fsf.org/philosophy/no-word-attachments.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040107/365f11bb/attachment-0001.sig>

More information about the fedora-list mailing list