Rephrase "The update did not match the code submitted to GitHub"? #1213
Labels
Comments
|
From what I can tell this phrase is only used once in "Known example" text for "Use compromised dependency". So it's referring to a specific event (the event-stream attack). In that attack the idea is that the maintainer had a package that purported to be from GitHub repo X, but uploaded a package that wasn't from repo X. Since there wasn't any SLSA verification in place, I don't think it's correct to say the update used unauthorized build inputs. Perhaps "The updated binary was not built from the purported source code"? |
TomHennen
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
this phrase is used a few times here, but I'm not sure what it means.
I think it has to mean basically "use of compromised dependency."
IE, the revision consumed was not the one provided in the build inputs, but I think that's not very clear from this sentence.
I recommend replacing all usage with: "The update used unauthorized build inputs."
Originally posted by @zachariahcox in #1209 (comment)
The text was updated successfully, but these errors were encountered: