[packman] code reviews?
Bernhard M. Wiedemann
bernhardout at lsmod.de
Tue Nov 18 13:11:58 CET 2025
Hi,
In a recent discussion at
https://www.reddit.com/r/openSUSE/comments/1ozu0l2/comment/npeyu4g/
I noticed that there are around 35 accounts with write access to the
Essentials repo.
This worries me because a compromise of any one of those accounts would
allow for malicious code to be distributed to a lot of openSUSE users.
Maybe some of these accounts are not even used anymore?
Would it be possible to reduce the number to below 10 and use more
submit-requests with reviews for code updates?
Several packages are links to OBS anyway and don't need manual updating.
So what do you think about that?
Or is there some other way to increase the trustability of Packman packages?
Ciao
Bernhard M. Wiedemann
(maintainer of openSUSE-Slowroll and security-enthusiast)
P.S. I also sometimes test for reproducible-builds and so far results
looked decent. Last test was 11 months ago.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.links2linux.de/pipermail/packman/attachments/20251118/5e727371/attachment.sig>
More information about the Packman
mailing list