Michael Catanzaro wrote: > On Fri, Mar 29 2024 at 07:44:12 PM +01:00:00, Mikel Olasagasti > <mi...@olasagasti.info> wrote: > > Do we know if GH release tarballs are safe? > > The tarballs generated by GitHub that just include the contents of the > git repo should be safe (at least from this particular issue),
So it is reported. The bulk of the attack code is in the Git repository, but the line that triggers it is only in the release tarballs, according to the report – but that means that the attacker is or was able to push commits to Github, so at this point it would be foolish to blindly trust the Git repository or the Github-generated tarballs. Björn Persson
pgp8nUs2fpGPZ.pgp
Description: OpenPGP digital signatur
-- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
