On 04/21/2011 12:26 PM, Mathieu Baudier wrote: > Sorry, but not everybody is on production machines. Security and integrity of an install is not optional, wherever you might be. Imho anyway. > Maybe he was just told: "install quickly this CentOS in VirtualBox, > just to make sure our app is compatible", and in that case the sooner > the better. > > My "advice" and those of others where underlying the security risk. > The one of Akemi seems pretty safe (not installing the update). If there is reason to suspect a mirror or installation is compromised, one should - again imho - not be doing any operations against that. > To put it shortly: Freedom, as in "free software", is about doing > whatever you want. thats true, but there is also a sense of responsibility that comes with that advice that is handed out and who / where its being handed out. One could potentially assume that the people on this list would know what they are talking about and would only advice based on whats considered best practices. The fact that the OP didnt know what was going on would be a good sign to assume that he was looking for people who did know what was going on eg. Telling people to jump off a cliff, just because you can isnt nice. Freedom or otherwise. > This being say, I do agree that having a non signed package is a MASSIVE deal. > Do we have more details about what's going on here? yes, a package was released, unsigned, and has been fixed. ( and 4 more tests added to the release process to make sure that this does not happen again; or atleast reduce the chance of this going out ). - KB