On Thu, 2005-07-28 at 18:26 +0300, Dotan Cohen wrote: > Thanks, Paul. I just updated successfully, without any special > parameters. Tell me, how carefully watched are the people who maintain > packages in, say, extras? Can these repros really be trusted in that > sense? I guess that I am, in a way, letting the maintainers of the > repros add anything that they like to my system- I don't have the > knowledge to go over every last package, and as a home user, I do not > plan on aquiring that knowledge. Well, every maintainer in Fedora Extras has to first go through the accounts system (http://admin.fedora.redhat.com/accounts/) to apply for cvs access and get a sponsor (an existing Fedora Extras contributor to act as mentor and keep an eye on them). Then, each new package is peer reviewed on fedora-extras-list. Every cvs commit made in Fedora Extras is posted to fedora-extras-commits, a mailing list that every Fedora Extras package maintainer is supposed to be on. So there are certainly barriers in place to prevent bad guys getting stuff into Extras but I'd think a determined attacker would be able to do it. So, as with most security issues, you trade off usability (easy access to packages in Extras or other repos) against security (the possibility that packages in Extras or other repos could be trojanned etc.). There is also of course the possibility that the bad guys could get trojan code injected upstream of Fedora, and if the upstream package was part of Fedora Core then Fedora Core itself could then be vulnerable. Paul. -- Paul Howarth <paul@xxxxxxxxxxxx>
