Getting to F18

[Reindl Harald]

Am 16.12.2012 18:02, schrieb Bruno Wolff III:
> On Sun, Dec 16, 2012 at 19:17:50 +1030,
>   Tim <ignored_mailbox at yahoo.com.au> wrote:
>> On Sat, 2012-12-15 at 11:18 -0600, Bruno Wolff III wrote:
>>> Unless you think you have a chance of being singled out by a goverment
>>> or if you don't trust some of the people/machines on your local
>>> network, this isn't a significant risk.
>>
>> You don't think some malcontent might try to set up a bogus repo, or
>> damage another one, just because they're an ass?
> 
> They have to get people to use such a repo, which is going to be hard. One could get away with it perhaps for a
> little while by showing different data to users and to the mirror checker. And only a small fraction of people are
> going to end up using such a mirror.

nothing easier as to point you to another repo with /etc/hosts
if something goes wrong on your machine - it is enough if you
are ONE TIME ente your root-password in the wrong dialog and
after pointing you to a modified repo you get a backdoor installed
which you can not detect if it is done well by filter output of
lsof, ps and whatever tools you think are helping you in such cased

who makes you believe repos are always trustable for sure and no
ssh-keys of maintainers are lost and misued? it happened not so long
ago to the fedora infrastructure (google is your friend)

the first and largest mistake in context security you can make
is to think you are secure but not have the knowledge to make
sure it is so - goodwill and hope is no base for security

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20121216/c9f4bd09/attachment.sig>