>
> Building a source package is a lot more opaque and gives the attacker a
> lot more room to hide. Adding malicious code to tar to inject something
> into source packages is a lot quieter
How many packages have a pubkey for the orig file?
Perhaps we should encourage upstreams to sign more?
I guess that means giving up pypi as a place to download from, since they have
removed support for signatures.
But for example kde tarballs are all signed.
--
Salvo Tomaselli
"Io non mi sento obbligato a credere che lo stesso Dio che ci ha dotato di
senso, ragione ed intelletto intendesse che noi ne facessimo a meno."
-- Galileo Galilei
https://ltworf.codeberg.page/
