Hmm, but then you have to trust 1) github, 2) anyone with commit access to that repository.
It's not the worst thing I suppose: #1 is a problem anyway for trusting Google/Mozilla's repo of audits, and #2 can be noticed by others so hard to pull of some supply chain attack that way.
But I would still feel more confident if the audit log contained a copy of the checksum, and ideally itself was signed with author's keys.
It's not the worst thing I suppose: #1 is a problem anyway for trusting Google/Mozilla's repo of audits, and #2 can be noticed by others so hard to pull of some supply chain attack that way.
But I would still feel more confident if the audit log contained a copy of the checksum, and ideally itself was signed with author's keys.