2025-06-05 –, Quartz
Fedora packagers have to upload upstream sources prior to build. They are supposed to validate the content they build in Fedora prior to submitting it. However, many projects have dependencies on others, to the point that sometimes hundreds of small packages are bundled together. This makes it challenging for packagers to handle updates when projects written in JavaScript, Rust, Go, Java or similar languages where the ecosystem is built around small and interdependent components. An attack on a chained dependency might go far unnoticed.
The Fedora Project had for a long time struggled with packaging of these components. While it is hard to solve the packaging problem without increasing effort, there are still ways to help Fedora packagers in their job. This talk will look into an experiment FreeIPA team ran together with Red Hat Engineering's Core Platform Management group on helping to prevent malware from getting to Fedora.
