Comment by sodality2
10 days ago
How do you deal with the opposite, software that you forget to update but contains vulnerabilities discovered/exploited later?
10 days ago
How do you deal with the opposite, software that you forget to update but contains vulnerabilities discovered/exploited later?
I use a package manager that checks the hash of the downloaded installer against what's recorded in the package listing for that version. WinGet has been built in to Windows since one of the 2018-era releases of Windows 10: https://i.ibb.co/VYGXdc56/2026-02-01-20-46-28-Greenshot.png
Integrity checks say nothing about the package authenticity, though. State sponsored actors could just... change the hash on the listing in a hypothetical attack.
“Just” lol
That would be two things that would have to be compromised and redirected simultaneously to malicious versions. Way more likely to be noticed too because one of them would be GitHub, and unless they mirror the entire rest of the package metadata index and keep it up to date for everything else besides their targeted malicious package.