[packman] code reviews?
Luigi Baldoni
aloisio at gmx.com
Tue Nov 18 15:22:22 CET 2025
Sent: Tuesday, November 18, 2025 at 1:11 PM
From: "Bernhard M. Wiedemann" <bernhardout at lsmod.de>
>
> In a recent discussion at
> https://www.reddit.com/r/openSUSE/comments/1ozu0l2/comment/npeyu4g/
> I noticed that there are around 35 accounts with write access to the
> Essentials repo.
>
> This worries me because a compromise of any one of those accounts would
> allow for malicious code to be distributed to a lot of openSUSE users.
>
> Maybe some of these accounts are not even used anymore?
> Would it be possible to reduce the number to below 10 and use more
> submit-requests with reviews for code updates?
>
> Several packages are links to OBS anyway and don't need manual updating.
>
> So what do you think about that?
> Or is there some other way to increase the trustability of Packman packages?
If there actually are 35 full maintainers, I agree it's too many.
Perhaps someone should check the logs and disable such accounts that haven't been
accessed recently and compartimentalise the rest better.
Personally, I do have write access but it was given to me years ago back when I
had far more spare time, so it can be pruned if that simplifies the process.
Regards
More information about the Packman
mailing list