I had no idea this issue had been identified. While I find this tool very useful, the project is seeming rather questionable to me now.

  • Pup Biru
    link
    fedilink
    English
    arrow-up
    26
    ·
    3 个月前

    that’s what automation is for - nobody is going to manually check them, but anyone is able to automatically set something up to check their hashes in change… the fact that it’s possible that anyone is doing that now that it’s a known issue perhaps makes it less problematic as an attack vector

    • refalo@programming.dev
      link
      fedilink
      arrow-up
      4
      arrow-down
      1
      ·
      3 个月前

      That is true, but also nobody is doing it. Just like nobody is verifying Signal’s “reproducible builds”.

      • Pup Biru
        link
        fedilink
        English
        arrow-up
        5
        ·
        3 个月前

        are you sure?

        there could be thousands just waiting for a failure to come out and say “HEY THIS IS DODGY”

        • refalo@programming.dev
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          3 个月前

          Yea because I tested it myself. Nobody else seems to care, and if they did, I would think there would be a public way to see regular test results regardless.

          I know this exists for some projects, but somehow nothing privacy-sensitive