this post was submitted on 17 Sep 2024
446 points (99.1% liked)

Open Source

31116 readers
322 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
 

I had no idea this issue had been identified. While I find this tool very useful, the project is seeming rather questionable to me now.

you are viewing a single comment's thread
view the rest of the comments
[–] pupbiru@aussie.zone 24 points 1 month ago (1 children)

that’s what automation is for - nobody is going to manually check them, but anyone is able to automatically set something up to check their hashes in change… the fact that it’s possible that anyone is doing that now that it’s a known issue perhaps makes it less problematic as an attack vector

[–] refalo@programming.dev 3 points 1 month ago (1 children)

That is true, but also nobody is doing it. Just like nobody is verifying Signal's "reproducible builds".

[–] pupbiru@aussie.zone 4 points 1 month ago (1 children)

are you sure?

there could be thousands just waiting for a failure to come out and say “HEY THIS IS DODGY”

[–] refalo@programming.dev 1 points 1 month ago* (last edited 1 month ago)

Yea because I tested it myself. Nobody else seems to care, and if they did, I would think there would be a public way to see regular test results regardless.

I know this exists for some projects, but somehow nothing privacy-sensitive