tag:blogger.com,1999:blog-8108277809937554792.post1163343893600586948..comments2009-11-23T07:50:39.070-06:00Steven Pritchardhttp://www.blogger.com/profile/00716303018104544735noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-8108277809937554792.post-33838284486622507782009-11-23T07:50:39.070-06:002009-11-23T07:50:39.070-06:00old timer?! I&#39;m 33!skvidalhttp://www.blogger.com/profile/00993961635850065167noreply@blogger.comtag:blogger.com,1999:blog-8108277809937554792.post-5555608888180493732009-11-21T15:50:51.385-06:002009-11-21T15:50:51.385-06:00Now that I have fully read and study the case, the incident is a classic example of failure of communication. There is not a problem with the functionality. (Credit for GeneralZod from linuxfr.org for detailed information)<br /><br /><i> * The installation of one package shouldn&#39;t change the behavior of the system. (This one package changes the behavior of the system, plus allows for other packages to be installed that could do the same.) If you take into account that unintended dependencies tend to pull in random stuff during upgrades, this becomes especially important.</i><br /><br />It is actually policies change from Freedesktop discussed on mail list six months ago. The maintainer of PackageKit only applies it and only concerns local users. Note that behaviour only applies for signed packages from trusted repositories i.e. you already imported their keys.<br /><br /><br /><i> * Can we really guarantee that there are no signed packages available that are exploitable, all the time?</i><br /><br />That is social-engineering in this case. The policy perfectly worked on rawhide and Fedora 12 Beta because you still need authorization from root to install unsigned packages or when you import keys after you have installed a repository for the first time. It is only with signed packages that behaviour occurs with <b>PackageKit</b> on desktop environment. <br /><br />The <a href="https://fedoraproject.org/wiki/Features/UserAccountDialog" rel="nofollow">incoming feature of Fedora 13</a> only reinforces the original policy from Fedora 12.Luya Tshimbalangahttp://www.blogger.com/profile/05391142834277609577noreply@blogger.comtag:blogger.com,1999:blog-8108277809937554792.post-294049870715970372009-11-21T10:05:42.128-06:002009-11-21T10:05:42.128-06:00Very nice.Steven Pritchardhttp://www.blogger.com/profile/00716303018104544735noreply@blogger.comtag:blogger.com,1999:blog-8108277809937554792.post-77834718415054913832009-11-20T14:21:33.629-06:002009-11-20T14:21:33.629-06:00&quot;This one slipped by us, but I hope the decision will be made to push an update with a more sane default. &quot;<br /><br />It already was.<br /><br />https://www.redhat.com/archives/fedora-announce-list/2009-November/msg00012.html<br /><br />https://www.redhat.com/archives/fedora-devel-list/2009-November/msg01445.htmlAdamWhttp://www.blogger.com/profile/01360019761470485694noreply@blogger.com