Summary/Minutes for Wednesday's FESCo meeting (2012-12-05)
Till Maas
opensource at till.name
Fri Dec 7 19:11:08 UTC 2012
On Wed, Dec 05, 2012 at 03:20:14PM -0500, Bill Nottingham wrote:
> * 960 - F18 schedule + the holidays (notting, 18:50:29)
> * LINK: https://fedoraproject.org/wiki/JaroslavReznik/FedupF18Final -
> not updated yet (jreznik, 18:58:15)
> * AGREED: Do not block on fedup signature checking (not a regression)
> (+:7, -:0, 0:0) (notting, 19:08:47)
how is not providing a supported way to do secure upgrade of Fedora not
a regression? It is a big disappointment that Fedora is more and more
turning its back on security. If I remember correctly, Fedora was one of
the leading distributions providing and using signed packages. But with
time this is more and more invalidated and people are more and more
expected to install unsigned packages or not to verify them. At least
back in 2010 malicious mirrors were still acknowledged as a security
risk for Fedora users and signed packages were mentioned as a counter
measure:
https://fedoraproject.org/wiki/Mirror_manager_security_risks
How come it became less important now? Actually it is even easier to
attack users as more and more mobile devices are used. And what is even
worse, the whole problem of not verifying packages on upgrade or the
upgrade image itself is not even prominently communicated. There is
nothing in the release notes about this:
http://docs.fedoraproject.org/en-US/Fedora/18/html/Release_Notes/sect-Release_Notes-Changes_for_Sysadmin.html#idm32350976
I am very disappointed about this and I think this this a bad decission.
:-(
Regards
Till
More information about the devel
mailing list