Hey Richard,
Should we have a higher level of attention to these packages? We
already have "critical path", but that's a broad category now. These
seem like they are "security path" packages, an intentionally small
subset associated with very secure services which are enabled by
default.
It sounds like a good plan to put certain dependencies on a critical path. Perhaps
anything that is used by packages included in the various editions of Fedora that
allow for remote access (even if disabled by default) could fall under that path?
We could also try to ensure that packages do not contain any binary blobs and instead
require generation scripts for those that we can run ourselves.
Regards,
Simon