Ben Greiner wrote:
Am 04.04.24 um 14:25 schrieb Atri Bhattacharya:
Ben Greiner wrote: I plead guilty as charged. There are many packages of mine where there is a Source without associated URL.
The point is, as long as somehow trusted and well-known contributors like you and me exhibit such practices, how would the maliciously crafted contribution of an attacker be suspicious in this regard?
As things stand, I agree that it would not. Enforcing strict traceability of upstream sources (and patches where possible) will, I believe, help to a degree; but, there is no silver bullet especially if an attacker were to do something over on OBS in a manner as planned, meticulous, and eventually back-stabbing as the takeover of xz was. We can only try to make it as difficult as possible to get such a package (or update) into Factory by enforcing checks against upstream (assuming that is clean). Let us also mention that many packagers (generally trusted long-timers) are the reviewers of their own SR's when it comes to devel proj submissions. I know I am for several packages. We should probably rethink our guidelines for making one a maintainer of a devel project package, as in something like 10 contributions to the pkg needed before you may be assigned maintainer-ship. Or have a points system: award points for accepted SR's into Factory, etc. and impose a point threshold before allowing maintainer-ship. Just thinking aloud here. Best wishes. -- Atri