On Tue, Oct 5, 2021 at 11:27 AM Matthew Miller <mattdm(a)fedoraproject.org> wrote:
On Mon, Oct 04, 2021 at 09:17:30PM +0200, Vitaly Zaitsev via devel wrote:
> >Is this really necessary?
>
> Yes. Because anyone can add something like this:
> %post
> rm -rf /
>
> And it will destroy the installed system or even the hardware.
Yeah, but... that's not going get through the PR process? In fact, that
specific thing should fail in CI before a human gets to it even.
So you're going to ensure that the people using this package to
experiment/learn can *only* submit via PR? I like that. I find it to
be better, but not sufficient depending on how that works.
Overall, we put a lot of trust in maintainers. I don't see this
_particular_
route as a likely one for violating that trust.
I think I'd like to see a more sketched out flow. This isn't for
maintainers, it's for people trying to learn to be maintainers.
They're still building that trust via this whole thing, right?
josh