Hi Atri, Thank you for raising this. We have the same problem not only with Source tags but also with Patch. They are sometimes too big to be properly reviewed by the accepting obs maintainer. I always use the GitHub URL (github.com/org/pkg/pull/NNN.patch#/pkg-prNNN-shortdesc.patch) when possible in order to have a stable version. But sometimes you have to apply patches which have not been merged yet. In that case, there might be later additional commits (relevant or not) and the URL will yield a different patch which a bot in factory will complain about. So you leave out the URL and only reference it by comment. Am 04.04.24 um 11:16 schrieb Atri Bhattacharya:
1. Packages where spec files do not have traceable source tarballs with full URLs pointing to upstream. I understand that this is already discouraged but not entirely forbidden [2], so a user could have something like
``` Source0: totally_not_an_exploit.tar.gz ```
in their specfile, have the package build and submit it to a devel project and eventually Factory. Unless project or Factory reviewers have the time to untar the sources and carefully study them, which seems an almost impossible burden on either, the tarball could, intentionally or not, carry through an exploit.
For sources that do indicate the full URL, I understand that bots in the Factory check the bundled tarballs against upstream ones, and decline them in case of any mismatch. However, for locally generated tarballs with no traceability, there is no check that prevents them from being shipped around as part of the distro proper.
I plead guilty as charged. There are many packages of mine where there is a Source without associated URL. This ranges from _source generated rust vendor.tar.xz (Who audits these?) to test data tarballs generated by manual downloads. Spot the connection to the XZ backdoor. Examples: - Source6 of python-skyfield [1] - npm generated modules, (only for testing!): python-pycrdt-websocket [2], python-jupyter-ydoc [3] I imagine it would be hard to audit this automatically or force the review team to look into every single archive. Regards, Ben [1] https://build.opensuse.org/projects/openSUSE:Factory/packages/python-skyfiel... [2] https://build.opensuse.org/projects/openSUSE:Factory/packages/pthon-pycrdt-w... [3] https://build.opensuse.org/projects/openSUSE:Factory/packages/python-jupyter...