|
|
|
|
|
|
by crote
246 days ago
|
|
|
And how are you supposed to verify that the right packages have been uploaded? The easiest way to verify that is by using a reproducible automated pipeline, as that moves the problem to "were the packaging files tampered with". How do you verify the packaging files? By making them auditable by putting them in a git repository, and for example having the packager sign each commit. If a suspicious commit slips in, it'll be immediately obvious to anyone looking at the logs. |
|
|
Conversely, this is also an attack surface. It can be easy to just hit "accept" on automated pipeline updates.
New source for bash? Seems legit ... and the source built ... "yeah, ok."