Thread: Fedora based MeeGo = NoGo!
View Single Post
attila77 is offline attila77
2010-03-21 , 18:10
Posts: 3,319 | Thanked: 5,610 times | Joined on Aug 2008 @ Finland
#234
Originally Posted by zimon View Post
That is one thing I have always disliked Debian systems, especially their deb-format. They do say authenticity and integrity is handled and no problems there, but developers still install deb packages blindly and cumulative security degradation can go through whole Linux community eventually. (see Thompson's trojan compiler)
I still understand what *package format* related security problem you're referring to. RPM and DEB are equal in that regard. If you choose not to sign your packages, or the user chooses not to validate them (or take into account the results of the validation), then yes, he's exposing himself to a security risk. Whether this happens with RPM or DEB makes no difference whatsoever.

At least that will be fixed with RPM-format in Meego as talked before.
http://fedoranews.org/tchung/gpg/
(later, when everything is set up, developer just builds automatically signed packages from spec-file or tarball or src.rpm-file.)
$ rpmbuild -ba --sign newpackage.spec
Again, in what way is this different from what debsign does ? In fact a while back uploading to the autobuilder required the package to be signed. I can understand people being more familiar/preferring one package format/manager, but please, please don't dismiss other formats because you're not familiar with them, it really helps no one.
__________________
Blogging about mobile linux - The Penguin Moves!
Maintainer of PyQt (see introduction and docs), AppWatch, QuickBrownFox, etc
 

The Following 2 Users Say Thank You to attila77 For This Useful Post: