undefined | Better HN

0 pointsErikCorry3y ago0 comments

1) Ah of course, this is SHA256, my mistake.

2) If I and the upstream are both looking at a file that was generated by Github then the Sha may match, but that doesn't prove we weren't both owned by Github.

Perhaps what I am missing is that this isn't part of a reproducible build scenario. There's no attempt to ensure that the file Github had built is the one I would build with the same starting point.

0 comments

blueflow3y ago

If you trust your upstream, then the checksum is enough. If you don't trust your upstream, its sort of an RCE anyways.

j / k navigate · click thread line to collapse

0 pointsErikCorry3y ago0 comments

1) Ah of course, this is SHA256, my mistake.

2) If I and the upstream are both looking at a file that was generated by Github then the Sha may match, but that doesn't prove we weren't both owned by Github.

Perhaps what I am missing is that this isn't part of a reproducible build scenario. There's no attempt to ensure that the file Github had built is the one I would build with the same starting point.

0 comments

blueflow3y ago

If you trust your upstream, then the checksum is enough. If you don't trust your upstream, its sort of an RCE anyways.

j / k navigate · click thread line to collapse