Hacker News new | ask | show | jobs
by morelisp 1261 days ago
> anyone who isn't fetching their packages through Google's proxy will get told that whatever they're using is trying to trick them.

No, the error message you get is neutral about which side might be wrong - it says "verifying module: checksum mismatch" and "This download does NOT match the one reported by the checksum server." (I've seen it a lot because it also appears when module authors rebase, which a small but surprisingly high number do...)
1 comments
lanstin 1261 days ago
Wow, that is shocking. There is never a reason to rebase a public git repo, except maybe credentials leak in the past.
link
adityasaky 1260 days ago
Even then, you want to revoke those credentials rather than try to wipe it from history, no?
link
lanstin 1260 days ago
That is what I think but security people want both.
link
adityasaky 1259 days ago
Strange, I hadn't come across that before. Not sure what they're trying to achieve, deny they ever had a leak?
link
lanstin 1256 days ago
Third party security consultants, following a check list.
link