Bug 1223086 - consider integrity checking in source services mandatory
Summary: consider integrity checking in source services mandatory
Status: RESOLVED FIXED
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security (show other bugs)
Version: Current
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Security Team bot
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-04-18 14:00 UTC by Jan Zerebecki
Modified: 2024-05-15 12:08 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jan Zerebecki 2024-04-18 14:00:36 UTC 
Not sure if this is the right component/product... I have previously asked this similarly via mail, so trying here to not let it drop off the table again:

Can we agree to consider the following as security bugs?:

In scope:
Any source services available in Factory, when no explicit argument like "insecure" is enabled (so a program can find and count them, an exhaustive list of those exception labels will be later defined in source_validator).
If a bug is found that makes the output not reproducible or verification of downloads is not cryptographically secure, it is categorised as a security bug to be fixed.

Out of scope, for now:
How those services are used in packages.

For larger context see:
https://github.com/openSUSE/obs-service-source_validator/issues/134
Comment 1 Johannes Segitz 2024-05-15 12:07:19 UTC 
We discussed that a bit further via email. To make it explicit:
This only applies to packages that use source services. This doesn't make it mandatory to use them.

As discussed in the team: Going forward we will treat issues like the one described by Jan as a security issue
Comment 2 Jan Zerebecki 2024-05-15 12:08:44 UTC 
Thank you!