Thu, 04 Apr 2024 09:16:03 -0000 "Atri Bhattacharya"
I hope I am wrong.
You are. How would any of what you wrote actually help with the recent CVE? Is the dude who submitted the odd code still on-board? I hope he is. I'm sure all submit requests can not get a full security review. Noone spotted the added dot, for example. Who would be able to do the reviews anyway, at the required scale? You are right with the requirement to run autogen.sh for all projects that use autotools. But, it was said it would not help with that CVE. It may raise the bar for future attempts, if we would actually use our existing tooling and grab fixed commit hashes from somewhere and let OBS internally create the source snapshots. Anyway, thanks for raising the topic. Olaf