← Back to context

Comment by g-b-r

2 years ago

GitHub release builds provide no whatsoever guarantee of having been built by GitHub from the corresponding source, if I remember correctly

7 comments

g-b-r

Reply
wlamartin  2 years ago

Ah, I think you might be pleasantly surprised that this is an area being focused on right now with attestations[1] for example, here are the attestations for the GitHub CLI[2].

1: https://github.blog/2024-05-02-introducing-artifact-attestat...

2: https://github.com/cli/cli/attestations

  • g-b-r  2 years ago

    Maybe this whole cryptographic stuff has some use, but all that which was needed was for GitHub to declare when a file was uploaded manually and when by a workflow (specifying which workflow).

    This looks so complex that it might well be just smoke and mirrors

theultdev  2 years ago

So the worry is the Zed team themselves will inject something into the binary?

  • broeng  2 years ago

    The xz backdoor was an example of exploiting this disconnect. It was not present in the repository, it was inserted only into the release artifacts. Anyone getting xz by checking out the repository and building it themselves, would not be affected by it.

    • nijave  2 years ago

      I think that's a slight mischaracterization. It was present in the repo but obfuscated and rigged to only apply in release artifacts.

      A sufficiently technical user could have found it but that bar was pretty high to clear.

      2 replies →