Comment by Muromec

2 days ago

I have to trust the publisher, otherwise I can't update and I have to update because CVE's exist. If we step back, how do I even know that the image blessed with hardcoded hash (doublechecked with the website of whoever is supposed to publish it) isn't backdored now?

3 comments

Muromec

sneak 2 days ago

Because it has been out and published and used for weeks/months. The longer an artifact is public and in use, the less chance it has of being malicious.

pixl97 1 day ago
Like its been out for months and has 56k stars?
- sneak 1 day ago
  
  Sure. The system worked in that case - it was discovered as malicious and pulled.