On Friday, July 3, 2020 9:48:06 AM CEST Pierre-Yves Chibon wrote:
So if we were to give the builders commit access to dist-git, an
attacker
could easily commit to any other packages, potentially from something as easy
as a scratch-build.
Absolutely!
Koji authenticates build submitters (I'm not sure it authorizes them). So
technically, _something_ on backend could be allowed to commit to dist-git
(in the name of build submitter).
Before the SRPM build task, Koji could request "GetReleaseBumpPatch" task, the
builder could then just read-only clone the git, bump the release, return the
patch back for backend -- and let Koji apply it.
But yeah, that's off topic a bit. This is not what the current proposal is
about.
Pavel