On Tue, Apr 26, 2022 at 10:08 AM David Bold <davidsch(a)fedoraproject.org> wrote:
I think it does require some changes to CI, otherwise, this will
execute
untrusted code when all it was supposed to do is download. I do
currently assume that I can run `spectool -g` on an untrusted spec to
look at the source code, without running untrusted code.
Unless you want to propose an entirely declarative way to specify how
to generate "clean" tarballs, you're going to end up executing user
code.
I think the user should make an active decision to execute such
scripts,
thus a API change for CI would be needed.
If you don't want user code to be executed at all, you're already
fighting a losing battle against RPM.
All .spec files and macros can contain arbitrary lua scripts, which
are executed at parse-time.
Fabio