Interesting as I also always wondered
about what measures are taken in the OBS infrastructure for
building Factory packages to prevent
malicious contributions, especially in the area of checking that
all the files in project (source, patches, .spec) are legit.
For example, it is relatively easy for a new contributor to submit
a new package in a devel project then
in Factory (and become maintainer), or to submit requests to
existing projects.
I think it should largely remain that way to not discourage new
contributions, but have all the safe guards considered to prevent
malicious contributions ? Probably not.
I think analyzing all possible scenarios and hardening solutions
is inevitable and that all distros are evaluating their security
at this moment.
On 4/4/24 11:16 AM, Atri Bhattacharya wrote:
Perhaps we should reconfigure the Factory bot to forbid non-URL
sources from Factory packages entirely. I am not sure how many
packages currently have these, but I am fixing one right now.
How would that work with packages built from a .obscpio archive that
was generated from
invoking a service manually or locally fetching the source from git
? Such as pango:
https://build.opensuse.org/package/show/openSUSE:Factory/pango
Are these already checked to verify the .obscpio is legit ?