On Friday, July 3, 2020 9:48:06 AM CEST Pierre-Yves Chibon wrote:
So if we were to give the builders commit access to dist-git, an attacker could easily commit to any other packages, potentially from something as easy as a scratch-build.
Absolutely!
Koji authenticates build submitters (I'm not sure it authorizes them). So technically, _something_ on backend could be allowed to commit to dist-git (in the name of build submitter).
Before the SRPM build task, Koji could request "GetReleaseBumpPatch" task, the builder could then just read-only clone the git, bump the release, return the patch back for backend -- and let Koji apply it.
But yeah, that's off topic a bit. This is not what the current proposal is about.
Pavel