Kevin Fenzi wrote:
> * There could be some nasty issues with keeping known vulnerable/broken
> packages around. ie, foo-1.0 has a severe security bug, foo-1.1 fixes
> it. You now just need to trick someone into downgrading or directly
> installing foo-1.0 (which is in normal repos and signed and
> completely valid looking).
But there are plenty of even older packages in the GA repository, also
signed with the same key.
Kevin Kofler
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
