On Mon, Apr 1, 2024 at 17:11:46 -0400, Matthew Miller via devel wrote: On Sat, Mar 30, 2024 at 08:11:38PM +0100, Kevin Kofler via devel wrote:
Unit tests are something for upstream developers. They should NEVER be run in a distribution build.
Even in the few little packages I'm still responsible for, I sometimes see unit test failures. The developer ran the tests, but not on S390. Or, with a different timezone database than current in Fedora. Or etc.
IMHO, there's no good way to *programmatically* protect ourselves from a malicious upstream on which we depend. If their goal is to compromise us, they will work around whatever programmatic/technical measures we happen to have in place at the time they decide to launch their attack.
Any potential defense against this sort of thing will have to be *social*, and/or *process* based. Packagers should get to know (as best as possible) their upstream maintainers and developers -- by reaching out over upstream's dev fora, by meeting up at events and conferences, etc. Packagers should hopefully be familiar with the human *and* technical situation of upstream, and have a chance to notice when things go "weird".
Just another $0.02 from the peanut gallery...
Cheers, --Gabriel