Automatically auditing tarballs?
Automatically auditing tarballs?
Posted Apr 3, 2024 7:58 UTC (Wed) by smurf (subscriber, #17840)In reply to: Automatically auditing tarballs? by GNUtoo
Parent article: A backdoor in xz
> many git repositories don't sign commits
You don't need to sign commits. You need to sign tags. Tagging a new version doesn't happen automatically (usually); it's the maintainer's job, not the repo's.