On Mon, Apr 1, 2024 at 17:11:46 -0400, Matthew Miller via devel
wrote:
On Sat, Mar 30, 2024 at 08:11:38PM +0100, Kevin Kofler via devel wrote:
> Unit tests are something for upstream developers. They should NEVER be run
> in a distribution build.
Even in the few little packages I'm still responsible for, I sometimes see
unit test failures. The developer ran the tests, but not on S390. Or, with a
different timezone database than current in Fedora. Or etc.
IMHO, there's no good way to *programmatically* protect ourselves
from a malicious upstream on which we depend. If their goal is to
compromise us, they will work around whatever programmatic/technical
measures we happen to have in place at the time they decide to launch
their attack.
Any potential defense against this sort of thing will have to be
*social*, and/or *process* based. Packagers should get to know (as
best as possible) their upstream maintainers and developers -- by
reaching out over upstream's dev fora, by meeting up at events and
conferences, etc. Packagers should hopefully be familiar with the
human *and* technical situation of upstream, and have a chance to
notice when things go "weird".
Just another $0.02 from the peanut gallery...
Cheers,
--Gabriel