Hacker News new | ask | show | jobs
by dsp_person 46 days ago
One thing that bugged me when I made a community plugin was that you have to attach non-git-controlled files to the release (e.g. main.js).

To check if any community plugin is safe, it seems like you'd have to not only review the code on github, but also analyze the github release files to be sure nothing malicious packed in there.

Maybe I'm misunderstanding something about the process, I'd appreciate if anyone could confirm or explain otherwise.
1 comments
kepano 46 days ago
The recommended way to do this is via artifact attestation:

https://docs.github.com/en/actions/how-tos/secure-your-work/...

link
dsp_person 46 days ago
Thanks that's interesting. The docs are aimed at developers, but I'm curious about the use case for the end user.

So would a user have to do some kind of `gh attestation verify PATH/TO/YOUR/BUILD/ARTIFACT-BINARY ...`? (assuming the plugin dev provides an sbom?)

link
kepano 46 days ago
In the near term artifact attestation will be visible to users in the directory, and part of the overall scorecard of a plugin.
link