On Wed, Nov 18, 2009 at 5:18 PM, Jeff Garzik <jgarzik(a)pobox.com> wrote:
You forget we have botnets doing distributed cracking now.
But...if you've cracked the root password, there are rather easier
(and less audited) routes to trojaning the system than adding a third
party yum repository and downloading your malicious RPM.
And this enormous security hole of a policy change was done with next
to
/zero/ communication, making it likely that many admins will not even know
they are vulnerable until their kids install a bunch of unwanted packages.
I think you are correct that the change could have been documented better.