Attackers could put the special files in .osc into the actual package sources (e.g. _apiurl). This allows the attacker to change the configuration of osc for the victim
{ "binaries": [ { "binary_name": "osc", "binary_version": "0.152.0-1" } ] }
{ "binaries": [ { "binary_name": "osc", "binary_version": "0.162.1-1" } ] }
{ "binaries": [ { "binary_name": "osc", "binary_version": "0.167.1-1" } ] }
{ "binaries": [ { "binary_name": "osc", "binary_version": "0.169.1-1" } ] }
{ "binaries": [ { "binary_name": "osc", "binary_version": "0.169.1-2" } ] }