Public
- Public
- Network
- Groups
- Featured
- Popular
- People

Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://hachyderm.io/users/dalias/statuses/112180774810931815">Rich Felker (dalias@hachyderm.io)'s status on Saturday, 30-Mar-2024 05:37:39 JST</a><a href="https://hachyderm.io/@dalias" title="dalias@hachyderm.io"><img src="https://gnusocial.jp/avatar/40873-48-20221207231635.webp" width="48" height="48" alt="Rich Felker" style="position: absolute; left: 0; top: 0;">Rich Felker</a><div><a href="https://hachyderm.io/@dfeldman/112180739934247146" rel="in-reply-to">in reply to</a><ul><li></ul></div></section><article><p><a href="https://hachyderm.io/@dfeldman">@dfeldman</a> One measure we should introduce: distro package maintainers should fetch both git and release tarballs to compare before accepting a new version. Release tarballs not matching actually-reviewed project history are a huge gratuitous threat vector.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2879252#notice-5720841">In conversation</a><time datetime="2024-03-30T05:37:39+09:00" title="Saturday, 30-Mar-2024 05:37:39 JST">about 8 months ago</time> <span>from <span><a href="https://hachyderm.io/@dalias/112180774810931815" rel="external" title="Sent from hachyderm.io via ActivityPub">hachyderm.io</a></span></span><a href="https://hachyderm.io/@dalias/112180774810931815">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Rich Felker (dalias@hachyderm.io)'s status on Saturday, 30-Mar-2024 05:37:39 JSTRich Felker
in reply to
- Daniel Feldman
@dfeldman One measure we should introduce: distro package maintainers should fetch both git and release tarballs to compare before accepting a new version. Release tarballs not matching actually-reviewed project history are a huge gratuitous threat vector.
In conversationabout 8 months ago from hachyderm.iopermalink

Public

Embed Notice

HTML Code

Corresponding Notice