Bug 1223086

Summary: consider integrity checking in source services mandatory
Product: [openSUSE] openSUSE Tumbleweed Reporter: Jan Zerebecki <jzerebecki>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: jsegitz
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Jan Zerebecki 2024-04-18 14:00:36 UTC 
Not sure if this is the right component/product... I have previously asked this similarly via mail, so trying here to not let it drop off the table again:

Can we agree to consider the following as security bugs?:

In scope:
Any source services available in Factory, when no explicit argument like "insecure" is enabled (so a program can find and count them, an exhaustive list of those exception labels will be later defined in source_validator).
If a bug is found that makes the output not reproducible or verification of downloads is not cryptographically secure, it is categorised as a security bug to be fixed.

Out of scope, for now:
How those services are used in packages.

For larger context see:
https://github.com/openSUSE/obs-service-source_validator/issues/134
Comment 1 Johannes Segitz 2024-05-15 12:07:19 UTC 
We discussed that a bit further via email. To make it explicit:
This only applies to packages that use source services. This doesn't make it mandatory to use them.

As discussed in the team: Going forward we will treat issues like the one described by Jan as a security issue
Comment 2 Jan Zerebecki 2024-05-15 12:08:44 UTC 
Thank you!