Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://bonn.social/users/martin_ueding/statuses/112185236976765558">Martin Ueding (martin_ueding@bonn.social)'s status on Monday, 01-Apr-2024 10:12:09 JST</a><a href="https://bonn.social/@martin_ueding" title="martin_ueding@bonn.social"><img src="https://gnusocial.jp/avatar/133848-48-20240401011210.webp" width="48" height="48" alt="Martin Ueding" style="position: absolute; left: 0; top: 0;">Martin Ueding</a><div><a href="https://nerdculture.de/@kirschwipfel/112183708887529887" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/148990" title="kirschwipfel@nerdculture.de">🍒🌳 Hartmut Goebel</a></li><li><a href="https://gnusocial.jp/user/209694" title="lispi314@udongein.xyz">LisPi</a></li><li><a href="https://gnusocial.jp/user/252580" title="andresfreundtec@mastodon.social">AndresFreundTec</a></li></ul></div></section><article><p><a href="https://nerdculture.de/@kirschwipfel">@kirschwipfel</a> <a href="https://udongein.xyz/users/lispi314">@lispi314</a> <a href="https://mastodon.social/@AndresFreundTec">@AndresFreundTec</a> <a href="https://mastodon.social/@glyph">@glyph</a> <br>Sounds good. But some projects have a build stage which generates lots of things. Packagers for distributions need to set up the needed environment and perform these steps. It seems much easier to use a provided artifact in these cases.</p><p>I think this attack is hard to defend against: An evil insider in the project with control over the code and artifacts. One could also hide malicious stuff in the code itself directly, in plain sight.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2879212#notice-5736953">In conversation</a><time datetime="2024-04-01T10:12:09+09:00" title="Monday, 01-Apr-2024 10:12:09 JST">about a year ago</time> <span>from <span><a href="https://bonn.social/@martin_ueding/112185236976765558" rel="external" title="Sent from bonn.social via ActivityPub">bonn.social</a></span></span><a href="https://bonn.social/@martin_ueding/112185236976765558">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Martin Ueding (martin_ueding@bonn.social)'s status on Monday, 01-Apr-2024 10:12:09 JSTMartin Ueding
in reply to
@kirschwipfel @lispi314 @AndresFreundTec @glyph
Sounds good. But some projects have a build stage which generates lots of things. Packagers for distributions need to set up the needed environment and perform these steps. It seems much easier to use a provided artifact in these cases.
I think this attack is hard to defend against: An evil insider in the project with control over the code and artifacts. One could also hide malicious stuff in the code itself directly, in plain sight.
In conversationabout a year ago from bonn.socialpermalink

Public

Embed Notice

HTML Code

Corresponding Notice