On Sat, Mar 30, 2024 at 07:15:28PM -0700, Otto Kekäläinen wrote: > I am doing all my builds inside a (Podman) container with the sources > loop-mounted.
You do, but Debian itself (aka DSA) does not. They still prefer to trust all 100k packages and run them as root in the init namespace over the five people who can login as buildd and potentially trigger capability reachable problems in the kernel. This is what got as in part of the situation, as we don't even know if the buildd hosts are untampered. Bastian -- Spock: The odds of surviving another attack are 13562190123 to 1, Captain.
