On 2024-04-04 15:54, Atri Bhattacharya wrote:
Ben Greiner wrote:
Am 04.04.24 um 14:25 schrieb Atri Bhattacharya:
Ben Greiner wrote: I plead guilty as charged. There are many packages of mine where there is a Source without associated URL.
The point is, as long as somehow trusted and well-known contributors like you and me exhibit such practices, how would the maliciously crafted contribution of an attacker be suspicious in this regard?
As things stand, I agree that it would not. Enforcing strict traceability of upstream sources (and patches where possible) will, I believe, help to a degree;
But this is the obvious escape, isn't? Patches, in general are not traceable. The main reason is that some are generated after a refresh from quilt, others are heavy adaptations from a fix in the main branch, an undisclosed amount comes from patches borrowed from other distributions, downstream adaptations, etc. There are packages with literally hundreds of patches, with specific tools generated to maintain those patches (some uses a separate git, or ad-hoc scripts to detect conflicts).
We should probably rethink our guidelines for making one a maintainer of a devel project package, as in something like 10 contributions to the pkg needed before you may be assigned maintainer-ship. Or have a points system: award points for accepted SR's into Factory, etc. and impose a point threshold before allowing maintainer-ship. Just thinking aloud here.
A ring of trust was also what was hacked in the XZ project. In two years (what Jia Tan used in total) the normal contributor in OBS would join and quit the project several times. I do not want to sound dismissive. There is something that we must implement in the project to protect us against this kind of scenario, but I still do not see any idea that would work in the XZ project nor in OBS. It is indeed a hard problem.