Michael Pujos wrote:
Interesting as I also always wondered about what measures are taken in the OBS infrastructure for building Factory packages to prevent malicious contributions, especially in the area of checking that all the files in project (source, patches, .spec) are legit.
At least patches and specfiles are text, they are verifiable by reviewers. On the other hand, tarballs that exist solely on build.o.o — and nowhere else — do scare me now.
For example, it is relatively easy for a new contributor to submit a new package in a devel project then in Factory (and become maintainer), or to submit requests to existing projects. I think it should largely remain that way to not discourage new contributions, but have all the safe guards considered to prevent malicious contributions ? Probably not. I think analyzing all possible scenarios and hardening solutions is inevitable and that all distros are evaluating their security at this moment.
Yes, this attach has rather been a shock to the system.
On 4/4/24 11:16 AM, Atri Bhattacharya wrote:
Perhaps we should reconfigure the Factory bot to forbid non-URL sources from Factory packages entirely. I am not sure how many packages currently have these, but I am fixing one right now. How would that work with packages built from a .obscpio archive that was generated from invoking a service manually or locally fetching the source from git ? Such as pango:
https://build.opensuse.org/package/show/openSUSE:Factory/pango
Are these already checked to verify the .obscpio is legit ?
I believe these sources, typically generated by a _service file, are verified against a cpio generated by the Factory bot against the same upstream git commit specified in the _service, but I may be mistaken. At least in theory it is possible to verify these. Best wishes. -- Atri