On 11/18/2009 06:12 PM, Richard Hughes wrote:
2009/11/18 Eric Christensen<eric(a)christensenplace.us>:
> Has anyone drafted a notice to go out on the Announce List explaining
> this vulnerability? If admins don't know to fix/remove PK then they are
> putting their systems at risk.
I'm really bored of this conversation. The bikeshed is blue. There are
much bigger problems in UNIX security than installing signed packages.
We don't set a grub password by default.
Signed does not mean bug-free.
Further, observe the broken logic:
"Because local users might be able to break into the system with effort,
it is pointless to have any safeguards at all."
[firefox|pidgin] exploit + PackageKit == trivial remote exploit.
Jeff