On Tue, Oct 5, 2021 at 11:27 AM Matthew Miller <mat...@fedoraproject.org> wrote: > > On Mon, Oct 04, 2021 at 09:17:30PM +0200, Vitaly Zaitsev via devel wrote: > > >Is this really necessary? > > > > Yes. Because anyone can add something like this: > > %post > > rm -rf / > > > > And it will destroy the installed system or even the hardware. > > Yeah, but... that's not going get through the PR process? In fact, that > specific thing should fail in CI before a human gets to it even.
So you're going to ensure that the people using this package to experiment/learn can *only* submit via PR? I like that. I find it to be better, but not sufficient depending on how that works. > Overall, we put a lot of trust in maintainers. I don't see this _particular_ > route as a likely one for violating that trust. I think I'd like to see a more sketched out flow. This isn't for maintainers, it's for people trying to learn to be maintainers. They're still building that trust via this whole thing, right? josh _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
