Scott Schmit wrote on Sun, Mar 31, 2024 at 05:02:44PM -0400: > Deleting the tests makes no sense to me either, but it seems like a > mechanism that ensures the test code can't change the build outputs (or > a mechanism to detect that it's happened and abort the build) would > allow upstream tests to be run without compromising the integrity of the > build itself. Just to be clear here that wouldn't have been enough: it's not the test step that's modifying the binaries, the actual build step is modified in the right conditions to use data that looks like it belongs to a test (I've read the actual files aren't actually used in any test and just look like test data, I didn't check, it wouldn't be hard to make a test that uses them anyway) So short of deleting all blobs e.g. all test data this wouldn't have been prevented, just not running tests isn't enough. In theory it'd be possible to build twice: - one normal build with test data, and run tests at the end - a second build without test data (and confirm we've got an identical binary, builds are reproducible right?!) But while we might be able to afford the computing cost, I'm not sure it's worth it -- this attack vector happened to use test data, but there are plenty of other ways of doing this, and even just identifying / removing test data in the first place is hard work for packagers (I guess we could try to detect binary files but there is no end to that either, and many builds would just break if we were to automatically remove tests...) (Anyway, I also think tests bring more benefits than risks in our case) -- Dominique Martinet | Asmadeus -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue