Moin,

On Tue, 18 Nov 2025, 13:11:58 +0100, Bernhard M. Wiedemann wrote:
> Hi,
> 
> In a recent discussion at
> https://www.reddit.com/r/openSUSE/comments/1ozu0l2/comment/npeyu4g/
> I noticed that there are around 35 accounts with write access to the
> Essentials repo.
> 
> This worries me because a compromise of any one of those accounts would
> allow for malicious code to be distributed to a lot of openSUSE users.
> 
> Maybe some of these accounts are not even used anymore?
> Would it be possible to reduce the number to below 10 and use more
> submit-requests with reviews for code updates?
> 
> Several packages are links to OBS anyway and don't need manual updating.
> 
> So what do you think about that?
> Or is there some other way to increase the trustability of Packman packages?
> 
> Ciao
> Bernhard M. Wiedemann
> (maintainer of openSUSE-Slowroll and security-enthusiast)
> 
> P.S. I also sometimes test for reproducible-builds and so far results looked
> decent. Last test was 11 months ago.

Did we have any outcome from this? I was rather surprised to see an
update for package Multimedia/MakeMKV, which I am a maintainer of,
without having received a review request. @enzokiel: thanks for your
contribution, but I would really re-ask the question:

  Do we want peer-reviews in Packman?

FWIW, @enzokiel: thanks also for approving my SR for handbrake, although
no feedback to the SR was provided.

I would strongly vote for it, especially for such packages as MakeMKV
which contain a significant binary blob...

Cheers.

l8er
manfred

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Packman mailing list
[email protected]
https://lists.links2linux.de/cgi-bin/mailman/listinfo/packman

Antwort per Email an