Hi Atri,

Thank you for raising this.

We have the same problem not only with Source tags but also with Patch. They are sometimes too big to be properly reviewed by the accepting obs maintainer. I always use the GitHub URL (github.com/org/pkg/pull/NNN.patch#/pkg-prNNN-shortdesc.patch) when possible in order to have a stable version. But sometimes you have to apply patches which have not been merged yet. In that case, there might be later additional commits (relevant or not) and the URL will yield a different patch which a bot in factory will complain about. So you leave out the URL and only reference it by comment.

Am 04.04.24 um 11:16 schrieb Atri Bhattacharya:

1. Packages where spec files do not have traceable source tarballs
with full URLs pointing to upstream. I understand that this is
already discouraged but not entirely forbidden [2], so a user
could have something like

```
Source0: totally_not_an_exploit.tar.gz
```

in their specfile, have the package build and submit it to a devel
project and eventually Factory. Unless project or Factory
reviewers have the time to untar the sources and carefully study
them, which seems an almost impossible burden on either, the
tarball could, intentionally or not, carry through an exploit.

For sources that do indicate the full URL, I understand that bots
in the Factory check the bundled tarballs against upstream ones,
and decline them in case of any mismatch. However, for locally
generated tarballs with no traceability, there is no check that
prevents them from being shipped around as part of the distro
proper.

I plead guilty as charged. There are many packages of mine where there is a Source without associated URL. This ranges from _source generated rust vendor.tar.xz (Who audits these?) to test data tarballs generated by manual downloads. Spot the connection to the XZ backdoor.

Examples:
- Source6 of python-skyfield [1]
- npm generated modules, (only for testing!): python-pycrdt-websocket [2], python-jupyter-ydoc [3]

I imagine it would be hard to audit this automatically or force the review team to look into every single archive.

Regards,
Ben

[1] https://build.opensuse.org/projects/openSUSE:Factory/packages/python-skyfield/files/python-skyfield.spec
[2] https://build.opensuse.org/projects/openSUSE:Factory/packages/pthon-pycrdt-websocket/files/python-pycrdt-websocket.spec
[3] https://build.opensuse.org/projects/openSUSE:Factory/packages/python-jupyter-ydoc/files/create_node_modules.sh