On Thu, Apr 29, 2021, at 4:04 PM, przemek klosowski via devel wrote: > Few weeks ago we had an announcement of a Python supply chain hack where > people supplied libraries with names matching some private library > names, which took precedence and overrode those private libraries, > giving the hackers control. > > Now, the name collisions are built-in into RPM, because that's how > updates work: the original package is in 'fedora' and the updates are > in, well, 'updates'. In rpm-ostree it works differently; the `fedora` and `updates` repos are rolled together to make the "base image". Then client side we distinguish between the "base image" and extensions. No layered RPM (operating system extension) can replace (or cause to be removed via depsolve clash) a "base image package" by default. (But you can of course use `override replace/remove` to do so, it just requires very explicit action that will also remain very visible in `rpm-ostree status`). So it's even stronger in many ways than say vendor locking - we won't e.g. silently depsolve back to an ancient kernel/glibc from the `fedora` repo ever either (since no one ever wants that). _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
