Due to the nature of Fedora licensing, it does not come with many propeitary software like adobe, flash, and codecs. So many Fedora users resort to using RPMFusion. My question is how safe is RPMFusion from a security prespective and has it had any history of ever being 0wn3d? How much trust can I put on the rpm builders in RPMFusion?

I am aware every RPM package from RPMFusion is signed with their GPG keys and yum will verify (by default) the integrity of every package installed from RPMFusion.

I don't have any data about rpmfusion.org (which was once livna and some other site) track record in terms of security, but I do have anecdotal evidence that there has never been an issue on my Fedora systems, which I have run off-and-on since Fedora 7 or 8. Presumably they would be forthcoming about any campromise that they detect.

Of course, nothing is a sure thing. If you are very concerned about the security of the packages, you can download the source RPMs (or even the binary ones, and just steal the spec file), explode them, analyze, and rebuild. Just install all the rpmbuild tools and go for it.

All security is a numbers game. If you have one program you are much less likely to be attacked. If you have installed 20,000 then it is likely that one or more will let a hacker in.

rpmfufion seams to be good
just INSTALL AND CONFIGURE!!!!!!
the yum plugin "yum-priorites" !!!!!!!!!!

you DO NOT want critical system files replaced

you WANT updates and base to be higher priority them rpmfusion

1 members found this post helpful.

This is my view.
rpmfusion.org is a hosting website for certified software. That means that both the website itself, rpmfusion.org is verified via a certificate authority.

Regarding the software each rpm file is protected by a security key, verified by the yum installation software. That software was provided by a recognized mantainer or group of maintainers.

If you download software from rpmfusion.org, you can rest assured that it is clean and you may have as much confidence in it as you would have with Fedora itself.

Why rpmfusion?

The USA is a country that supports lawyers, lawyer firms and software patents and lawsuits.

Fedora would like to make rpmfusion an optional repository, but rpmfusion hosts software that may use an algorithm or some technique that has a USA software patent.

Why be sued and have costly legal battles. Ergo, Fedora, an American Linux product, will not open itself up to being sued.

Outside of the USA, most countries do not recognize unlimited software patents. Almost all countries recognize copyrights. For a copyright violation, there is a take-down notice. A copyright violation means either plagiarism or posting the software without referring to the author for permission, or redirecting the user to his website for the download.

Fortunately, more and more, Open-Source software is killing the patent trolls. 80% of commercial products on the market use some routines from Open-Source.

Some day we may see the USA congress pass a law banning software patents beginning 201x. If the patent is not implemented and sold as a product or pending product, it will be refused. A software patent may be made to lapse if not demonstrated in an owned product. It may be that only patentable software would be limited to a device driver that directly controls hardware.

So for now, there are several respin "Forks" of Fedora, where the "Enhanced Fedora" is obtainable from locations in countries where all software is considered an algorithm (like mathematics) and where the added contents to Fedora is, in that country not patentable.

Sorry for being so verbose.