Y
Hacker News
new
|
ask
|
show
|
jobs
by
1lint
1088 days ago
Another reason to include commit ids in the url when fetching files from external repos. I think you should do this anyways in case the external repo maintainer makes a change that silently breaks your build script
2 comments
ewhauser421
1088 days ago
Just verify the SHA of the tarball a la Bazel?
link
glandium
1088 days ago
Remember when git archive changed its format and that affected archives downloaded from github?
link
slimsag
1088 days ago
That won't help you very much. There's no guarantee the commit belongs to the named repository with e.g. raw links[0].
[0]
https://twitter.com/slimsag/status/1672421999698903043
link
faangsticle
1088 days ago
Of course it will, since you'll either get the commit you wanted at the time you wrote the script, or an error.
link
bqmjjx0kac
1088 days ago
Unless someone is very good at finding SHA1 collisions.
link
NhanH
1088 days ago
The collisions need to deliver malicious payload as well, making it extra hard
link
manwe150
1088 days ago
Those are still very hard to get for a random hash, and GitHub I think warns (or blocks?) you if you try to push a hash with a known vulnerability.
link
glandium
1088 days ago
If you clone the repo, it won't be there.
link