On Tue, Apr 26, 2022 at 11:49 AM Fabio Valentini <decathorpe@xxxxxxxxx> wrote: > > On Tue, Apr 26, 2022 at 10:08 AM David Bold <davidsch@xxxxxxxxxxxxxxxxx> wrote: > > > > > I think it does require some changes to CI, otherwise, this will execute > > untrusted code when all it was supposed to do is download. I do > > currently assume that I can run `spectool -g` on an untrusted spec to > > look at the source code, without running untrusted code. Also, this sounds like you misunderstand what spectool does. All it does is call RPM to parse the .spec file (which might already execute arbitrary lua code), and then get the list of Source and Patch files from that parsed data. If you specify the "-g" flag, it will also attempt to download those files, if they are specified as URLs. If you want to do something else, you're probably looking for a different tool. Fabio _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
