[sour-taste]

Because a malicious ssg could expose private files (private keys etc) at a hidden url only the attacker knows to scan for, drop malware that grants them non-static file access, or really anything that other compromised binaries can do.

[cosarara]

But we are not talking about a malicious ssg, we are talking about a vulnerable ssg that somehow needs to be patched. Unless your ssg connects to the internet, this is a non issue.

[delusional]

> Unless your ssg connects to the internet, this is a non issue.

This, but for all software ever. In the nightmare realm we've apparently decided to settle down in we forgot the one way to make actually secure software: Run the complicated parts somewhere offline.

A security vulnerability is much less scary if the computer can't communicate with anything. It's the only way for us to get out of the pit of infinite work we've dug.

[marginalia_nu]

If the author of the SSG is compromised, I doubt they'd push fixes for their own exploits...?