On 5/7/21 12:08 PM, Adam Williamson wrote:
Really? I mean, third party repos have been around forever. It's not
like they're a new thing. I'm not really opposing any sensible
improvements here, I'm just not seeing the same clear story as you are
here? Why do you think there are going to be a
On Thu, 2021-05-06 at 14:40 -0400, przemek klosowski via devel wrote:
> On 5/5/21 2:29 AM, Adam Williamson wrote:
>
> > If a third party wants to do
> > something nefarious and can convince you to "install a repository" in
> > some way, that means that at minimum they convinced you to drop an
>
Matthew Miller wrote:
> I'm glad you mentioned this, because that's my thought too. DNF 5 with
> modularity 2.0 :)
Not the m-word again!
Kevin Kofler
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to
On 5/5/21 2:29 AM, Adam Williamson wrote:
If a third party wants to do
something nefarious and can convince you to "install a repository" in
some way, that means that at minimum they convinced you to drop an
arbitrary file in /etc/yum.repos.d . What they probably did was
convince you to
On Thu, Apr 29, 2021, at 4:04 PM, przemek klosowski via devel wrote:
> Few weeks ago we had an announcement of a Python supply chain hack where
> people supplied libraries with names matching some private library
> names, which took precedence and overrode those private libraries,
> giving
On Thu, May 06, 2021 at 08:56:47AM +0200, Daniel Mach wrote:
> To be clear, I like the idea of vendor/repo stickiness turned on by
> default, it could solve a lot of problems and eventually provide a
> very simple alternative to modularity. I'm just not convinced that
I'm glad you mentioned this,
On 5/5/21 7:08 PM, Neal Gompa wrote:
On Wed, May 5, 2021 at 11:55 AM Qiyu Yan wrote:
在 2021-05-05星期三的 07:44 +0200,Dan Čermák写道:
przemek klosowski via devel writes:
Is that something we need to worry about? I couldn't think of any new
rules to impose on repositories, but maybe dnf should
On Wed, May 5, 2021 at 11:55 AM Qiyu Yan wrote:
>
> 在 2021-05-05星期三的 07:44 +0200,Dan Čermák写道:
> > przemek klosowski via devel writes:
> >
> > > Is that something we need to worry about? I couldn't think of any new
> > > rules to impose on repositories, but maybe dnf should have more
> > >
在 2021-05-05星期三的 07:44 +0200,Dan Čermák写道:
> przemek klosowski via devel writes:
>
> > Is that something we need to worry about? I couldn't think of any new
> > rules to impose on repositories, but maybe dnf should have more
> > explicit
> > warnings when it sees multiple versions of the same
In Debian based systems you can configure if a repository is to be
considered for updates or only when manually installing a package that
either is only included in that repo or where you explicitly state you want
it to be from that repo.
apt can also show all the versions from all the
On Wed, 2021-05-05 at 07:44 +0200, Dan Čermák wrote:
> przemek klosowski via devel writes:
>
> > Is that something we need to worry about? I couldn't think of any new
> > rules to impose on repositories, but maybe dnf should have more explicit
> > warnings when it sees multiple versions of the
przemek klosowski via devel writes:
> Is that something we need to worry about? I couldn't think of any new
> rules to impose on repositories, but maybe dnf should have more explicit
> warnings when it sees multiple versions of the same package, or at least
> a way to show such versions.
Or
Le jeu. 29 avr. 2021 à 22:04, przemek klosowski via devel
a écrit :
>...
> For completness, here are the remaining strange cases:
>
> openhantek.x86_64 2.06-1.fc31rpmfusion-nonfree
> openhantek.x86_64 3.2-1.fc34 fedora
I've fixed this one on f35+ for rpmfusion-nonfree. Package moved to
przemek klosowski via devel wrote:
> but the recent trend is to loosen up and increase the
> repository set: rpmfusion, ROCm, packages-microsoft-com-prod are likely
> to be used because they contain useful software.
IMHO, everyone using the Microsoft repository is on their own. Isn't the
whole
Few weeks ago we had an announcement of a Python supply chain hack where
people supplied libraries with names matching some private library
names, which took precedence and overrode those private libraries,
giving the hackers control.
Now, the name collisions are built-in into RPM, because
15 matches
Mail list logo
