On 11/18/2009 05:14 PM, Richard Hughes wrote:
2009/11/18 Jeff Garzik<jgarzik(a)pobox.com>:
> How little social engineering + virus automation does it take to get such an
> install to include a malicious 3rd party repo?
You need the root password to install from repos not signed by a key
previously imported, or if the package signature is wrong.
You forget we have botnets doing distributed cracking now.
Fedora just opened up a huge attack vector, for the users who are least
equipped to understand the consequences.
And this enormous security hole of a policy change was done with next to
/zero/ communication, making it likely that many admins will not even
know they are vulnerable until their kids install a bunch of unwanted
packages.
Jeff