On Wed, Sep 6, 2023 at 2:01 PM Kevin Fenzi <kevin@xxxxxxxxx> wrote: > > On Wed, Sep 06, 2023 at 04:15:48PM -0000, Siddhesh Poyarekar wrote: > > > My questions: > > > > > > Do you agree it's a false positve? > > > Can you sanction ammending Fedora rpminspct policy with: > > > > > > unicode: > > > ignore: > > > # 0x202D character used on purpose to demonstrate RLE in > > > # a documentation. > > > - Prima-*/Prima/Drawable/Glyphs.pm > > > > +1, sounds reasonable to me, although maybe rpminspect should continue logging such instances for future audit, without blocking updates. > > yeah, it seems odd to block fedora updates here. > > I wouldn't think this should be blocking in fedora...and I agree this is > a false positive here. >From a supply chain security perspective I think it's not a bad idea to block updates (unless there is a documented waiver) when it is first encountered, at least for now since the present state of things is such that RTL in code is unnatural. Maybe if it becomes more common in future to have, e.g. Arabic comments, the check could then be made smarter to look only for non-comment usage of bidi chars. Thanks, Sid _______________________________________________ security mailing list -- security@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to security-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/security@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
