Re: Mozilla's apt repository; was: Refugee from [x]ubuntu, a few initial questions

2024-10-11 Thread Florent Rougon
Hi, Le 11/10/2024, Brad Rogers a écrit: >>if some evil actor gets access to mozilla's >>repository and injects some malware into it. > > A point I missed. Clearly. > > Thanks for highlighting. This is not very convincing. If an evil actor were in a position to do that, they would probably

Re: Mozilla's apt repository; was: Refugee from [x]ubuntu, a few initial questions

2024-10-11 Thread Brad Rogers
On Fri, 11 Oct 2024 11:56:12 +0100 debian-u...@howorth.org.uk wrote: Hello debian-u...@howorth.org.uk, >if some evil actor gets access to mozilla's >repository and injects some malware into it. A point I missed. Clearly. Thanks for highlighting. -- Regards _ "Valid sig separator

Re: Mozilla's apt repository

2024-10-11 Thread Michael Kjörling
On 11 Oct 2024 11:56 +0100, from debian-u...@howorth.org.uk: > I think the point is not about what actually happens now, but what > might happen in future if some evil actor gets access to mozilla's > repository and injects some malware into it. > > And thus the degree of trust that ought to be gi

Re: Mozilla's apt repository; was: Refugee from [x]ubuntu, a few initial questions

2024-10-11 Thread tomas
On Fri, Oct 11, 2024 at 11:56:12AM +0100, debian-u...@howorth.org.uk wrote: > Brad Rogers wrote: > > On Fri, 11 Oct 2024 07:37:03 + > > Michael Kjörling wrote: > > > > Hello Michael, > > > > >That sounds like an even better argument for not pinning _everything_ > > >coming from that reposit

Re: Mozilla's apt repository; was: Refugee from [x]ubuntu, a few initial questions

2024-10-11 Thread debian-user
Brad Rogers wrote: > On Fri, 11 Oct 2024 07:37:03 + > Michael Kjörling wrote: > > Hello Michael, > > >That sounds like an even better argument for not pinning _everything_ > >coming from that repository at priority 1000. > > Maybe, but; > > As an experiment, I added the mozilla repo and

Re: Mozilla's apt repository; was: Refugee from [x]ubuntu, a few initial questions

2024-10-11 Thread Brad Rogers
On Fri, 11 Oct 2024 07:37:03 + Michael Kjörling wrote: Hello Michael, >That sounds like an even better argument for not pinning _everything_ >coming from that repository at priority 1000. Maybe, but; As an experiment, I added the mozilla repo and updated. Everything from their repos was l

Re: Mozilla's apt repository; was: Refugee from [x]ubuntu, a few initial questions

2024-10-11 Thread Michael Kjörling
On 10 Oct 2024 19:53 +0100, from b...@fineby.me.uk (Brad Rogers): >> Though I would adjust that apt pinning configuration slightly to favor >> only firefox and maybe thunderbird packages from their repository, > > AFAICT, the repo you cited has firefox(1) only. That sounds like an even better ar