Olaf Hering wrote:
Thu, 04 Apr 2024 09:16:03 -0000 "Atri Bhattacharya" :
I hope I am wrong. You are.
How would any of what you wrote actually help with the recent CVE?
Sorry, perhaps you misunderstand me and I was probably not as clear as I should have been, but I am not talking about anything that might have dealt with upstream themselves being compromised. Instead, I am talking about an openSUSE packager acting in bad faith or generating the tarball on their local, already compromised system, for example. Unverifiable tarballs in sources may allow another potential route for supply side attacks specifically targetting a distro, say ours.
I'm sure all submit requests can not get a full security review. Noone spotted the added dot, for example. Who would be able to do the reviews anyway, at the required scale?
True, but again, I am not specifically referring to compromised upstream, but rather a bad faith or compromised openSUSE packager.
You are right with the requirement to run autogen.sh for all projects that use autotools. But, it was said it would not help with that CVE.
Not specifically, but perhaps it might have raised a downstream packager's suspicion.
It may raise the bar for future attempts, if we would actually use our existing tooling and grab fixed commit hashes from somewhere and let OBS internally create the source snapshots.
Yes, great point, I think this is already done by Factory bots for sources packaged using _service files, unless I am mistaken. Best wishes, -- Atri