|
|
|
|
|
|
by bri3d
1915 days ago
|
|
|
Sure, I see where you're coming from. I think your approach makes you come off as not very credible, though. Plus, it puts developers on the defensive and won't cause them to cooperate. A simple "I'm not comfortable with code on my machine being updated remotely without my approval, because I believe an attacker could infiltrate the supply chain" explains the problem you're having more precisely and turns into a simple feature request (turn off the auto-updater - which is already possible, as documented in that thread!) rather than trying to convince an entire industry that a commonly accepted practice (installation of signed remote updates) amounts to 0day RCE by putting them on the defensive. |
|
|