Richard Rahl, thank you for your contribution to openSUSE!

Because ipp-usb provides a new systemd service and new udev rules where that service (triggered by udev) can expose locally connected USB printers (and MFPs) on the network, I opened a security AUDIT bug to be on the safe side.

See in particular https://en.opensuse.org/openSUSE:Package_security_guidelines#Audit_Bugs_for_the_Security_Team

See in general https://en.opensuse.org/openSUSE:How_to_contribute_to_the_Printing_project#General_conditions_for_software_packages_in_the_Printing_project

It may take some time until the security audit is done.

Richard Rahl (rrahl0) - 2 months ago

author source maintainer

Thank you for already asking for an audit. As this is the first package which needs a security audit, i wasnt sure when to actually file one. I don't mind if it takes longer

@WernerFink, @dmolkentin, @jsmeix, @mwilck: review reminder

From security team side we have no problem with this getting a devel project, only the submission towards Factory is limited. I will start looking into the package now.

Richard Rahl,

please describe via an explanatory comment in the spec file what the additional vendor.tar.zst source is, what its purpose is, and wherefrom it can be downloaded (exact upstream download URL) so that others at openSUSE can understand what that additional source is, why it is needed for the openSUSE package, and that we can verify that vendor.tar.zst in the openSUSE package is the unmodified source from its upstream URL.

When modifications are needed they must be added as separated patch files so we can at least see what was changed compared to the upstream sources - preferably plus explanatory comments (in the spec file or in the patch file) so others can understand why things need to be changed for openSUSE (compared to what unmodified upstream sources provide).

Normally when upstream sources need to be changed to make things work for openSUSE, each case should be reported to upstream (with an URL to the upstream issue as comment in the spec file for others at openSUSE) so upstream at least knows that its sources cannot be used "as is" (at least not for openSUSE) and ideally (when it is a generic issue) upstream could enhance its sources to make things work in the future "as is" with unmodified upstream sources.

In this particular case (additional vendor.tar.zst source) the files in vendor/github.com/OpenPrinting/goipp neither match GitHub master code in https://github.com/OpenPrinting/goipp nor what on https://github.com/OpenPrinting/goipp/tags the tar.gz for v1.0.0 nor v1.1.0 result (in contrast to what vendor/modules.txt seems to tell) so currently the additional vendor.tar.zst source looks rather "suspicious" - at least to me.

Richard Rahl (rrahl0) - about 2 months ago

author source maintainer

that's interesting, as I only ever did osc service mr (go_modules). will verify myself.