Code fuzzing sounds like it became pretty popular for security checking packages.
Fedora consists of a TON of packages, all in the same repo.
The question “are these packages equal?” (maintained, updated, integrated, checked)?
At least I think this should be the case for Workstation and KDE included packages.
Is this done, and documented somewhere?
I would think that this question would be better targeted to the upstream developers/maintainers of the packages that are included with Fedora, including but not limited to the Linux kernel, GNOME, GNU utilities, LibreOffice, etc.
From what I understand, Fedora picks up the sources from those upstream developers, rebuilds and repackages them. The majority of the development is done upstream.
(I’m sure if I’ve misinterpreted this, someone will correct me).
I think you are right, Fedoras approach is to just use latest upstream and do good testing.
But upstream differs in quality, and the purpose of a distribution is the said testing, also security auditing, so I was wondering how this is done.
Fuzzing is a special case because it even works with binaries, so it could even be done for e.g. the proprietary Software with preinstalled repos on Fedora.