Attackers could put the special files in .osc into the actual package sources (e.g. _apiurl). This allows the attacker to change the configuration of osc for the victim
{ "binaries": [ { "binary_version": "0.152.0-1", "binary_name": "osc" } ] }
{ "binaries": [ { "binary_version": "0.162.1-1", "binary_name": "osc" } ] }
{ "binaries": [ { "binary_version": "0.167.1-1", "binary_name": "osc" } ] }
{ "binaries": [ { "binary_version": "0.169.1-1", "binary_name": "osc" } ] }
{ "binaries": [ { "binary_version": "0.169.1-2", "binary_name": "osc" } ] }