In Debian based systems you can configure if a repository is to be considered for updates or only when manually installing a package that either is only included in that repo or where you explicitly state you want it to be from that repo.
apt can also show all the versions from all the repositories of a package and which one it sees as the default for update/install. Cheers Luk On Wed, 5 May 2021 at 08:30, Adam Williamson <adamw...@fedoraproject.org> wrote: > On Wed, 2021-05-05 at 07:44 +0200, Dan Čermák wrote: > > przemek klosowski via devel <devel@lists.fedoraproject.org> writes: > > > > > Is that something we need to worry about? I couldn't think of any new > > > rules to impose on repositories, but maybe dnf should have more > explicit > > > warnings when it sees multiple versions of the same package, or at > least > > > a way to show such versions. > > > > Or how about teaching dnf that only certain repositories are allowed to > > be used for updates (with an allowedlist for exceptions)? Then microsoft > > or any other third party repo could put hello-5000-1 into their repo and > > it could never compromise your system, as dnf would not consider the 3rd > > party repo a valid update repo for a base system package. > > > > That would require dnf to track where it got the package from though > > and I am not sure if it does that at the moment? > > It does, but then you're just opening up a whole can of worms. And, I > mean, this seems like a very narrow focus. If a third party wants to do > something nefarious and can convince you to "install a repository" in > some way, that means that at minimum they convinced you to drop an > arbitrary file in /etc/yum.repos.d . What they probably did was > convince you to install a package containing the repo definition, as > that's the way most third party repos deploy. Well, that package could > do *absolutely anything else at all* on your system with root > privileges, because that's how packaging works. > > And a nefarious repo doesn't really need to use an RPM name collision > to do...well...anything much, really. It can just have a perfectly > correctly-named package contain whatever nefarious payload it wants. > > So I guess my question is: is there something specific we are > preventing by worrying about package name collisions, which any person > in a position to produce a package name collision could not just > achieve in a dozen or more other ways? > -- > Adam Williamson > Fedora QA > IRC: adamw | Twitter: adamw_ha > https://www.happyassassin.net > > > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
