You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A users asked Why there isn't a hash or code crc256 to check if application is genuine to thwart supply chain attacks?
We do have signed releases on github. Is there something else we should do here. Or are we assuming that a user who wants to run such a check to be able to find our github repository?
I do not think adding the data to the download (a seperate file with the hashes?) would solve the issue because if hiro.so got compromised both could be replaced by the hacker providing false security.
Should we perhaps provide the option to (a) direct to Github for a user to pick the appropriate version for themselves and/or (b) provide the option to verify authenticity?
The text was updated successfully, but these errors were encountered:
A users asked
Why there isn't a hash or code crc256 to check if application is genuine to thwart supply chain attacks?
We do have signed releases on github. Is there something else we should do here. Or are we assuming that a user who wants to run such a check to be able to find our github repository?
I do not think adding the data to the download (a seperate file with the hashes?) would solve the issue because if hiro.so got compromised both could be replaced by the hacker providing false security.
Should we perhaps provide the option to (a) direct to Github for a user to pick the appropriate version for themselves and/or (b) provide the option to verify authenticity?
The text was updated successfully, but these errors were encountered: