Moin, On Tue, 18 Nov 2025, 13:11:58 +0100, Bernhard M. Wiedemann wrote: > Hi, > > In a recent discussion at > https://www.reddit.com/r/openSUSE/comments/1ozu0l2/comment/npeyu4g/ > I noticed that there are around 35 accounts with write access to the > Essentials repo. > > This worries me because a compromise of any one of those accounts would > allow for malicious code to be distributed to a lot of openSUSE users. > > Maybe some of these accounts are not even used anymore? > Would it be possible to reduce the number to below 10 and use more > submit-requests with reviews for code updates? > > Several packages are links to OBS anyway and don't need manual updating. > > So what do you think about that? > Or is there some other way to increase the trustability of Packman packages? > > Ciao > Bernhard M. Wiedemann > (maintainer of openSUSE-Slowroll and security-enthusiast) > > P.S. I also sometimes test for reproducible-builds and so far results looked > decent. Last test was 11 months ago.
Did we have any outcome from this? I was rather surprised to see an update for package Multimedia/MakeMKV, which I am a maintainer of, without having received a review request. @enzokiel: thanks for your contribution, but I would really re-ask the question: Do we want peer-reviews in Packman? FWIW, @enzokiel: thanks also for approving my SR for handbrake, although no feedback to the SR was provided. I would strongly vote for it, especially for such packages as MakeMKV which contain a significant binary blob... Cheers. l8er manfred
signature.asc
Description: PGP signature
_______________________________________________ Packman mailing list [email protected] https://lists.links2linux.de/cgi-bin/mailman/listinfo/packman
