Why people are not switching to Fedora
Elad Alfassa
elad at fedoraproject.org
Fri May 8 10:03:57 UTC 2015
On Fri, May 8, 2015 at 12:27 PM, Michael Schwendt <mschwendt at gmail.com> wrote:
> On Thu, 7 May 2015 23:27:31 +0300, Elad Alfassa wrote:
>
>> Another point is that this repo does not seem to be fast enough with
>> security updates, as it is operated by volunteers and doesn't seem to
>> have a security response team - so it sometimes takes weeks for
>> critical security fixes to be shipped to users.
>
> Wait a minute! You don't really want to open that can of worms.
> Do you know any examples about _critical_ vulnerabilities in rpmfusion.org
> packages?
CVE-2014-9629 in VLC, for example. I could probably find more if I'd
look at more packages.
>
> Fedora may have a security team, but there are 304 open CVE tickets about
> "moderate vulnerabilities" dating back as far as into the year 2012,
> and 38 open tickets about "important vulnerabilities" dating back into
> early 2013. Example:
Ouch. Okay, in that case you can ignore my point about security
response in rpmfusion.
But regardless of the security response point, I still think
installing rpmfusion harms user safety. There's no way to verify the
key you just trusted is the actual signing key used by rpmfusion, an
adversary could easily replace the "Enable RPMFusion on your system"
page with something more sinister.
--
-Elad.
More information about the desktop
mailing list