On 27/11/2025 08:07, Dan Čermák wrote:
You can already do that nowadays with shared libraries and runtime modules. So IMHO eliminating this small portion of an attack vector, doesn't warrant the loss of developer experience. I mean, we're still pretty much open to the malicious maintainer attack scenario, it just wouldn't be really worse than it already is
Shared libraries have less impact because they can be easily tracked and rebuilt.
Static libraries have a significantly greater impact because they can be included in several other dependent packages, and to fix such issues, all of them must be rebuilt. A single, small library can be included in several larger, more important packages.
Currently, a malicious maintainer can only update their library, but can't rebuild dependent packages due to missing provenpackager permissions. With the new policy, they will be able to do this silently and no one will be able to see the change.
-- Sincerely, Vitaly Zaitsev ([email protected]) -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
