On November 27, 2025 6:46:51 AM UTC, Vitaly Zaitsev via devel <[email protected]> wrote: >On 25/11/2025 21:46, Neal Gompa wrote: >> It eliminates one of the major needs for a proven packager because >> Koji doesn't block builds to packagers. Proven Packagers would then >> only be needed for builds that require source changes. > >Am I the only one who sees a potential security vulnerability here? A >malicious maintainer could replace static library A with a compromised version >and then rebuild package B without any special permissions. > >This can be a problem for languages that only support static linking, such >as Rust or Go. >
You can already do that nowadays with shared libraries and runtime modules. So IMHO eliminating this small portion of an attack vector, doesn't warrant the loss of developer experience. I mean, we're still pretty much open to the malicious maintainer attack scenario, it just wouldn't be really worse than it already is -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
