Michael Catanzaro wrote:
On Fri, Mar 29 2024 at 07:44:12 PM +01:00:00, Mikel Olasagasti mikel@olasagasti.info wrote:
Do we know if GH release tarballs are safe?
The tarballs generated by GitHub that just include the contents of the git repo should be safe (at least from this particular issue),
So it is reported. The bulk of the attack code is in the Git repository, but the line that triggers it is only in the release tarballs, according to the report – but that means that the attacker is or was able to push commits to Github, so at this point it would be foolish to blindly trust the Git repository or the Github-generated tarballs.
Björn Persson