Interesting as I also always wondered about what measures are taken in the OBS infrastructure for building Factory packages to prevent malicious contributions, especially in the area of checking that all the files in project (source, patches, .spec) are legit. For example, it is relatively easy for a new contributor to submit a new package in a devel project then in Factory (and become maintainer), or to submit requests to existing projects. I think it should largely remain that way to not discourage new contributions, but have all the safe guards considered to prevent malicious contributions ? Probably not. I think analyzing all possible scenarios and hardening solutions is inevitable and that all distros are evaluating their security at this moment. On 4/4/24 11:16 AM, Atri Bhattacharya wrote:
Perhaps we should reconfigure the Factory bot to forbid non-URL sources from Factory packages entirely. I am not sure how many packages currently have these, but I am fixing one right now.
How would that work with packages built from a .obscpio archive that was generated from invoking a service manually or locally fetching the source from git ? Such as pango: https://build.opensuse.org/package/show/openSUSE:Factory/pango Are these already checked to verify the .obscpio is legit ?