> On Mon, Apr 1, 2024 at 17:11:46 -0400, Matthew Miller via devel wrote: > On Sat, Mar 30, 2024 at 08:11:38PM +0100, Kevin Kofler via devel wrote: > > Unit tests are something for upstream developers. They should NEVER be run > > in a distribution build. > > Even in the few little packages I'm still responsible for, I sometimes see > unit test failures. The developer ran the tests, but not on S390. Or, with a > different timezone database than current in Fedora. Or etc. IMHO, there's no good way to *programmatically* protect ourselves from a malicious upstream on which we depend. If their goal is to compromise us, they will work around whatever programmatic/technical measures we happen to have in place at the time they decide to launch their attack. Any potential defense against this sort of thing will have to be *social*, and/or *process* based. Packagers should get to know (as best as possible) their upstream maintainers and developers -- by reaching out over upstream's dev fora, by meeting up at events and conferences, etc. Packagers should hopefully be familiar with the human *and* technical situation of upstream, and have a chance to notice when things go "weird". Just another $0.02 from the peanut gallery... Cheers, --Gabriel -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
