https://bugzilla.suse.com/show_bug.cgi?id=1223086 Bug ID: 1223086 Summary: consider integrity checking in source services mandatory Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: jzerebecki@suse.com QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- Not sure if this is the right component/product... I have previously asked this similarly via mail, so trying here to not let it drop off the table again: Can we agree to consider the following as security bugs?: In scope: Any source services available in Factory, when no explicit argument like "insecure" is enabled (so a program can find and count them, an exhaustive list of those exception labels will be later defined in source_validator). If a bug is found that makes the output not reproducible or verification of downloads is not cryptographically secure, it is categorised as a security bug to be fixed. Out of scope, for now: How those services are used in packages. For larger context see: https://github.com/openSUSE/obs-service-source_validator/issues/134 -- You are receiving this mail because: You are on the CC list for the bug.