On 25/11/2025 21:46, Neal Gompa wrote:
It eliminates one of the major needs for a proven packager because Koji doesn't block builds to packagers. Proven Packagers would then only be needed for builds that require source changes.
Am I the only one who sees a potential security vulnerability here? A malicious maintainer could replace static library A with a compromised version and then rebuild package B without any special permissions.
This can be a problem for languages that only support static linking, such as Rust or Go.
-- Sincerely, Vitaly Zaitsev ([email protected]) -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
