1. Packages where spec files do not have traceable source tarballs with full URLs pointing to upstream. I understand that this is already discouraged but not entirely forbidden [2], so a user could have something like ``` Source0: totally_not_an_exploit.tar.gz ``` in their specfile, have the package build and submit it to a devel project and eventually Factory. Unless project or Factory reviewers have the time to untar the sources and carefully study them, which seems an almost impossible burden on either, the tarball could, intentionally or not, carry through an exploit. For sources that do indicate the full URL, I understand that bots in the Factory check the bundled tarballs against upstream ones, and decline them in case of any mismatch. However, for locally generated tarballs with no traceability, there is no check that prevents them from being shipped around as part of the distro proper.