Unsigned/retagged source releases #293
Assignees
Comments
|
Yes, as per #292 (comment) where @tsusanka wrote:
it seems there was some tagging gymnastics involved. |
|
Yes, apologies, won't happen again. We are currently considering rewriting this project completely to nodejs, so it is mostly on hold for now. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We recently had a bug opened in Gentoo for the release hash changing on 2.0.33. https://bugs.gentoo.org/904733
I believe the release was retagged?
Please try to understand that your organization currently does not sign all releases and there's no signing of a source release tarball. This makes it much easier for an adversary that gains access to your organization's Github (or any of the developers accounts with commit permissions) to just retag and push a malicious release. Alarm bells go off for us at the distro level when we see that release hashes are changing as we have no idea if the release is being tampered with.
The irony of having to open an issue like this is your organization happens to sell devices that could be used to sign commits and releases and it's just not being done: https://trezor.io/learn/a/what-is-gpg
The text was updated successfully, but these errors were encountered: