You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, swim update blindly fetches an upstream version of the script from https://raw.githubusercontent.com/dawsonbotsford/swim/master/swim. This is very bad as a compromise of the repository would allow an attacker to execute arbitrary code on swim users' computers. Cryptographic signature-checking of downloaded updates should be implemented to mitigate this risk
The text was updated successfully, but these errors were encountered:
Not sure how this would be done without implementing the builtin hash checking abilities of npm (or similar package manager). Which is absolutely a possiblity. Care to give this a try or to link me to a relevant article of how this is done for bash scripts?
Currently,
swim update
blindly fetches an upstream version of the script from https://raw.githubusercontent.com/dawsonbotsford/swim/master/swim. This is very bad as a compromise of the repository would allow an attacker to execute arbitrary code onswim
users' computers. Cryptographic signature-checking of downloaded updates should be implemented to mitigate this riskThe text was updated successfully, but these errors were encountered: