[jcastro]

> It uses 20 different copr repos (granted, half are their own), and I didn't count how many packages. Best I can tell, none of the versions are pinned.

Contributor here, we've been working on this diligently over the past cycle (the rest of the org is mostly done, Bazzite is largest so we're only getting to it now). We're hoping to be done over the summer with published SBOMs and all that good stuff.

[kayson]

That's good to hear; I'm definitely a fan of SBOMs. But it doesn't fully address the risk introduced with automatic selection of the latest package version. If a package has no dependencies, for example, the SBOM wouldn't change if it were compromised with something that's compiled in to the package...