[WBEL-devel] Suggesting YAML

John Morris jmorris@beau.org
Fri, 5 Dec 2003 11:49:23 -0600 (CST) 

On Fri, 5 Dec 2003, John Hinton wrote:

> I would like to suggest Yet Another Mailing List. This list be named 
> WBEL-Update. This list be one way, we sign up, but only the powers that 
> be with regards to announcing updates, have the ability to send from it. 
> I would find this to be most useful for two big reasons. First, I could 
> easily filter this list to a different mailbox, making update 
> announcements stand out from the general traffic. Yes, sometimes I don't 
> have time and I just go delete delete delete... I'd hate to miss an 
> important update.

How about whitebox-announce?  To date it has carried exactly two messages.  
Once announcing RC2 and one announcing an updated rsync package.

> Second, this would increase security a bit, particularly in these 
> startup phases and later for any newbies to WBEL. If we do all the 
> annoucements via the regular list, anyone could set up a bogus site with 
> a bogus program, put the link on the list and 'announce' an important 
> update. Particularly those which will not be able to be done by up2date, 
> such as up2date itself. Could be a big problem should an evil mind 
> decide to take over a bunch of machines.

Actually, up2date can update itself.  And since patches were posted to the
list yesterday fixing my crude efforts at getting it ported in from Fedora
that ability will soon get a live fire test.  If you didn't change the
option to check GPG keys (which should actually work after the update...)  
it should be pretty hard for anyone to inject a bogus package into the 
mirrors.

As for manual package updating, import the GPG keys you want to accept
from, watch for rpm's warnings and BE PARANOID.  Of course there is the
question of whether it IS paranoia when they ARE out to get you.  Debian,
Gentoo and Savanna cracked within about a week should be enough to get
everyone thinking about security issues.

-- 
John M.      http://www.beau.org/~jmorris        This post is 100% M$ Free!
Geekcode 3.1:GCS C+++ UL++++$ P++ L+++ W++ w--- Y++ b++ 5+++ R tv- e* r