this post was submitted on 17 Sep 2024
454 points (99.1% liked)

Open Source

31723 readers
139 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
 

I had no idea this issue had been identified. While I find this tool very useful, the project is seeming rather questionable to me now.

you are viewing a single comment's thread
view the rest of the comments
[–] pupbiru@aussie.zone 25 points 3 months ago (1 children)

that’s what automation is for - nobody is going to manually check them, but anyone is able to automatically set something up to check their hashes in change… the fact that it’s possible that anyone is doing that now that it’s a known issue perhaps makes it less problematic as an attack vector

[–] refalo@programming.dev 3 points 3 months ago (1 children)

That is true, but also nobody is doing it. Just like nobody is verifying Signal's "reproducible builds".

[–] pupbiru@aussie.zone 5 points 3 months ago (1 children)

are you sure?

there could be thousands just waiting for a failure to come out and say “HEY THIS IS DODGY”

[–] refalo@programming.dev 1 points 3 months ago* (last edited 3 months ago)

Yea because I tested it myself. Nobody else seems to care, and if they did, I would think there would be a public way to see regular test results regardless.

I know this exists for some projects, but somehow nothing privacy-sensitive