On Sun, 2024-03-31 at 13:28 +0100, Daniel P. Berrangé wrote: > > > > 3. We have no mechanism to flag when J. Random Packager adds > > "Supplements: glibc" to their random leaf node package. As a reminder, > > *we are a project that allows 1,601 minimally-vetted people to deliver > > arbitrary code executed as root on hundreds of thousands of systems*, > > and this mechanism allows any one of those people to cause the package > > they have complete control over to be automatically pulled in as a > > dependency on virtually every single one of those systems. > > This is as much a distro design problem, as a Fedora process > problem. The typical Linux distro model is that everything is > installed in the same namespace, and we only avoid interference > (whether accidental or intentional) by careful packaging design > and review. > > This is somewhere where the image based Linux distro model has > a potential benefit, with a comparatively slim distro base, and > then applications as self contained separated entities, whether > server apps in podman containers, or GUI apps in flatpaks. > > No easy anwere here though, as the traditional Linux model isn't > going away any time in the forseeable future. Well, definitely no easy answers, but I would argue this is the kind of thing we as a distributor *should* be worrying about and addressing, maybe with more urgency than things that are not primarily the responsibility of the distributor, in the supply chain. Maybe this needs to go on the growing pile of reasons why the traditional Linux model *does* need to go away. Maybe Fedora, with its foundation of First, should be kind of at the forefront of making that happen. -- Adam Williamson (he/him/his) Fedora QA Fedora Chat: @adamwill:fedora.im | Mastodon: @adamw@xxxxxxxxxxxxx https://www.happyassassin.net -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
