|
|
|
|
|
|
by progbits
1120 days ago
|
|
|
Hmm, but then you have to trust 1) github, 2) anyone with commit access to that repository. It's not the worst thing I suppose: #1 is a problem anyway for trusting Google/Mozilla's repo of audits, and #2 can be noticed by others so hard to pull of some supply chain attack that way. But I would still feel more confident if the audit log contained a copy of the checksum, and ideally itself was signed with author's keys. |
|
|