Local users get to play root?
Adam Williamson
awilliam at redhat.com
Wed Nov 18 22:49:49 UTC 2009
On Wed, 2009-11-18 at 10:52 -0800, Jesse Keating wrote:
> On Wed, 2009-11-18 at 13:22 -0500, James Antill wrote:
> >
> > 7. And the most obvious one ... how hard is it to get a bad package into
> > one of the repos. that the machine has enabled.
>
> Right, PK is counting on this being sufficiently difficult enough to
> prevent bad things from happening. While I'd like to think that, and
> would like to say that, I can't.
I do not see how that's relevant, frankly. For it to be relevant it
would have to be true to state that, if you need root privileges to
install signed packages, it's absolutely no problem if a signed package
is evil. Obviously, that's not at all true. An evil 'trusted' package
would be a Very Bad Thing in any case. Whether you need to be root to
install a trusted package or not is entirely orthogonal, as far as I can
see.
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net
More information about the devel
mailing list