|
|
|
|
|
|
by ojosilva
861 days ago
|
|
|
It would be interesting if Github here could put a green check next to the release files certifying they were entirely built from the sources in the repository that link to a corresponding ref/tag SHA. "No external files involved in the build". Obviously this would only be possible if the release files were built by GH Actions and the environment was a special one, absolutely sealed from the open internet that GH would certify, filter and curate. Still, this would not prevent some shady file in the repo or build hack to go unnoticed, but maybe it could become a starting point for delivering safer binary distributions from open source projects. |
|
|