Neal Gompa wrote:
> This is also the underlying reason why Red Hat has resisted
> implementing signed repository metadata and enforcing it by default.
> Of course this is a bit of a catch-22 as well, as there's no
> motivation to find a solution because neither Fedora nor RHEL offer
> signed repository metadata despite repeated calls for it over the past
> decade.
Is signed repository metadata not basically moot now that pretty much all
the world has moved on from unencrypted HTTP to secure HTTPS?
> Now, don't get me wrong: I'm personally extremely unhappy about having
> to depend on the Sequoia stack for RPM PGP. I have a strong distaste
> for the Rust community ecosystem these days, and I don't love the idea
> of having to have LLVM in the core bootstrap chain (hopefully gcc-rs
> will be in place soon enough!).
The dependency on LLVM is not even the worst issue in my eyes. LLVM is also
used by other core projects, e.g., mesa, these days.
The worst issue I see with Rust is the way libraries are "packaged", which
just implies installing source code and recompiling that source code for
every single application. (And as a result, the output obviously gets
statically linked into the application, with all the drawbacks of static
linking.) I consider a language with no usable shared library support to be
entirely unpackageable and hence entirely useless.
And then of course there is the issue that it is yet another language with
yet another syntax (and an only partially C-like one, so the learning curve
is unnecessarily high), yet another library ecosystem, etc. C has been the
de facto lingua franca all this time, now we are back into a tower-of-babel
scenario with tons of programming languages, which will necessarily bloat
the core system over time.
> So here we are, in a subpar situation created by bad tools because
> nobody cares enough about security anyway.
Sounds like a mess indeed.
Kevin Kofler
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
