On Thu, 4 Apr 2024, Michael Pujos wrote:
On 4/4/24 11:16 AM, Atri Bhattacharya wrote:
Perhaps we should reconfigure the Factory bot to forbid non-URL sources from Factory packages entirely. I am not sure how many packages currently have these, but I am fixing one right now.
How would that work with packages built from a .obscpio archive that was generated from invoking a service manually or locally fetching the source from git ? Such as pango:
https://build.opensuse.org/package/show/openSUSE:Factory/pango
Are these already checked to verify the .obscpio is legit ?
There's also the concern of typo-squatting an upstream URL or
in the case of github refering to a malicious fork with similar
enough name.
That would mean keeping a whitelist of domains and projects or
at least forcing manual reviews of certain types of URL changes
for both Source and Patch references.
That a tarball also exists in some form somewhere on the internet
isn't so much of a reassurance if you have no means of validating
its origin.
Richard.
--
Richard Biener