Vitaly Zaitsev via devel <[email protected]> writes: > On 27/11/2025 08:07, Dan Čermák wrote: >> You can already do that nowadays with shared libraries and runtime modules. >> So IMHO eliminating this small portion of an attack vector, doesn't warrant >> the loss of developer experience. I mean, we're still pretty much open to >> the malicious maintainer attack scenario, it just wouldn't be really worse >> than it already is > > Shared libraries have less impact because they can be easily tracked and > rebuilt. > > Static libraries have a significantly greater impact because they can be > included in several other dependent packages, and to fix such issues, > all of them must be rebuilt. A single, small library can be included in > several larger, more important packages.
But the only users of static linking are go, which is currently switching to vendoring, and rust, which is not doing rebuilds between releases. That leaves us with a small portion of C libraries, that usually tend to have a shared library subpackage too. > > Currently, a malicious maintainer can only update their library, but > can't rebuild dependent packages due to missing provenpackager > permissions. With the new policy, they will be able to do this silently > and no one will be able to see the change. > > -- > Sincerely, > Vitaly Zaitsev ([email protected]) > -- > _______________________________________________ > devel mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
