aplanas wrote:
This all makes naive attack more evident, but AFAIK I still did not see any idea that will protect us for the kind of attack that XZ suffered, when a rogue maintainer sing compromised upstream tarballs, nor as commented, when a OBS package maintainer decides to add a backdoor in the package.
Leaving aside the rust packaging case for now, I posit that having full URLs for `Source<N>` certainly prevents a rogue build.o.o *packager* from inserting a backdoor into tarballs used for openSUSE package builds when upstream tarballs are clean. I think Factory bots already currently — and have for years — enforce this by explicitly checking the package source tarballs against the upstream indicated either with a full URL in the spec file or via _service. Note again that my intention in this thread is not to directly address the kind of backdoor insertion that was done at the level of upstream repositories for xz, but rather about whether a downstream packager could do something similar even when the upstream repo is clean. Best wishes -- Atri