On Fri, Mar 29 2024 at 07:44:12 PM +01:00:00, Mikel Olasagasti mikel@olasagasti.info wrote:
Do we know if GH release tarballs are safe?
The tarballs generated by GitHub that just include the contents of the git repo should be safe (at least from this particular issue), but the Fedora package is not built from those. It was built from the malicious release tarballs.