Forbid encrypted zip files

[DimStar77]

bad idea ! We have gdk-pixbug intentionally encrypted as the test suite is reported by amavis on SLE to be 'infected'...

the only way around that so far was using an encrypted zip file

[DimStar77]

CC @fcrozat IIRC you came up with the encrypted zip for gdk-pixbuf

[dirkmueller]

@DimStar77 That's exactly why we have a check against such abuses now. I validaetd that neither the packed tar.xz nor the unpacked tar.xz are finding any issue with clamav on both tumbleweed and SLE.

[fcrozat]

I wonder if we should switch to a OBS source service and remove the offending file from git checkout ?

[adrianschroeter]

or to a git base package using a git submodule where you leave out the file during tar creation ...

However, the bug is not in the source of the package here. We should not damage the package when actually the clamav has the bug. It should be fixed there ... and it seems it is already.

[dirkmueller]

@fcrozat obs source service are not a good idea as they require trusting the packager. we would like to have verifyable sources

[DimStar77]

@fcrozat obs source service are not a good idea as they require trusting the packager. we would like to have verifyable sources

obs_scm being one of the most commonly used (over tar.*) we'd rather expand the source_validator to check verify the .obscpio provided. we have information about the commit used after all - validating should not be too hard.

[dirkmueller]

obs_scm being one of the most commonly used (over tar.*) we'd rather expand the source_validator to check verify the .obscpio provided. we have information about the commit used after all - validating should not be too hard.

Things can be always improved. PRs are accepted. First improvement towards a more secure future we have now forbidden encrypted zip files. Next level is sha256 git repositories. and then signatures. We'll be the most secure distro of all!