[CentOS] rpm libuser-devel is not signed

Thu Apr 21 11:35:50 UTC 2011
Karanbir Singh <mail-lists at karan.org>

On 04/21/2011 12:26 PM, Mathieu Baudier wrote:
> Sorry, but not everybody is on production machines.

Security and integrity of an install is not optional, wherever you might 
be. Imho anyway.

> Maybe he was just told: "install quickly this CentOS in VirtualBox,
> just to make sure our app is compatible", and in that case the sooner
> the better.
>
> My "advice" and those of others where underlying the security risk.
> The one of Akemi seems pretty safe (not installing the update).

If there is reason to suspect a mirror or installation is compromised, 
one should - again imho - not be doing any operations against that.

> To put it shortly: Freedom, as in "free software", is about doing
> whatever you want.

thats true, but there is also a sense of responsibility that comes with 
that advice that is handed out and who / where its being handed out. One 
could potentially assume that the people on this list would know what 
they are talking about and would only advice based on whats considered 
best practices. The fact that the OP didnt know what was going on would 
be a good sign to assume that he was looking for people who did know 
what was going on eg. Telling people to jump off a cliff, just because 
you can isnt nice. Freedom or otherwise.

> This being say, I do agree that having a non signed package is a MASSIVE deal.
> Do we have more details about what's going on here?

yes, a package was released, unsigned, and has been fixed. ( and 4 more 
tests added to the release process to make sure that this does not 
happen again; or atleast reduce the chance of this going out ).

- KB