On Mi, 2014-01-08 at 13:38 -0500, Stephen Gallagher wrote: > I don't really see this being more likely than an existing application > just bundling a wrapper script for certificate generation and > 'update-ca-extract' and quietly running that as part of %post. Just as > easy to miss and equally effective (with much less trouble).
true > I don't think that we can really write policy that eliminates the risk > of a determined abuse of the available technology. Probably. What do you think about adding a section to package reviewing guidelines, which says that packages that add files to the global CA directories should provide reasoning, and have someone check that reasoning. It might at least make people aware this is something to be careful with. Kai -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
