Hacker News new | ask | show | jobs
by secondaryacct 1681 days ago
It s very easy: add a dev signature in the repo that cannot be changed ever, and force the devs to sign their stuff before allowing a change of binary or a download.

Like that you can have anything trying to upload but fail the signature check.
1 comments
nathanaldensr 1681 days ago
This assumes that the developers themselves are not malicious (see: left-pad) and that their signing keys can't be stolen.
link