Why people are not switching to Fedora

[drago01]

On Fri, May 8, 2015 at 12:03 PM, Elad Alfassa <elad at fedoraproject.org> wrote:
> On Fri, May 8, 2015 at 12:27 PM, Michael Schwendt <mschwendt at gmail.com> wrote:
>> On Thu, 7 May 2015 23:27:31 +0300, Elad Alfassa wrote:
>>
>>> Another point is that this repo does not seem to be fast enough with
>>> security updates, as it is operated by volunteers and doesn't seem to
>>> have a security response team - so it sometimes takes weeks for
>>> critical security fixes to be shipped to users.
>>
>> Wait a minute! You don't really want to open that can of worms.
>> Do you know any examples about _critical_ vulnerabilities in rpmfusion.org
>> packages?
>
> CVE-2014-9629 in VLC, for example. I could probably find more if I'd
> look at more packages.
>>
>> Fedora may have a security team, but there are 304 open CVE tickets about
>> "moderate vulnerabilities" dating back as far as into the year 2012,
>> and 38 open tickets about "important vulnerabilities" dating back into
>> early 2013. Example:
>
> Ouch. Okay, in that case you can ignore my point about security
> response in rpmfusion.
>
> But regardless of the security response point, I still think
> installing rpmfusion harms user safety. There's no way to verify the
> key you just trusted is the actual signing key used by rpmfusion, an
> adversary could easily replace the "Enable RPMFusion on your system"
> page with something more sinister.

Well that can fixed though (i.e. serve the file over SSL; sure there
it would be still possible to attack the server and replace the
package there but at least one can not easily hijack the domain / http
request and replace it).