Hello, the SUSE security team wants to change part of our process in a way that will affect (open)SUSE packagers. Several features in a package currently produce rpmlint errors that ask packagers to submit the package for a review by the security team. E.g.: - Adding a setuid binary - Changing polkit settings This is described here: https://en.opensuse.org/index.php?title=openSUSE:Package_security_guidelines&oldid=136012#Audit_Bugs_for_the_Security_Team The current approach (error by rpmlint) has the drawback that this also triggers in devel projects. So if you package something with a setuid binary but don't intend to make this package part of (open)SUSE you will still see the errors. You then either have to suppress them or we have to spend effort on reviewing something that's not in an official distribution. We want to change these errors into warnings without badness (first only in Factory, but in short order also for openSUSE:* and SUSE:* too). You will still see a warning that informs you that you need to go through a review if you want it in an official distribution. This is then enforced by adding reviews for the security team to each request made to an official distribution if these warnings are present. Once the changes have been reviewed and whitelisted the warnings will vanish. The upside for you is that you can already use/test your packages in the devel project without being blocked by build errors. We hope to make the process faster and easier for everyone involved. Nothing will change for you if: - you don't need special permissions in you package - you need special permissions and they were already checked by the security team If you see one of these warnings they describe what you need to do to get your submits through without an additional review being added to the submit. We have a constant flow of audit bugs, so please open you audit request as early as possible so that we don't introduce a delay in your request while we review the changes. If you have any questions please ask away (please CC me) or contact security@suse.de Thanks, Johannes for the SUSE security team -- GPG Key E7C81FA0 EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0 Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66 SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg Geschäftsführer: Felix Imendörffer (HRB 247165, AG München)