Hacker News | The Comforting Lie of SHA Pinning

The Comforting Lie of SHA Pinning(vaines.org)

13 points by chillax 14 hours ago | 5 comments

rcxdude 2 hours ago
This has been a big security/UX issue with github for a while. It extends to the web interface: you can link to a specific commit under an official github repo but the contents of the README on the page will be from a malicious fork, which makes it way easier to make links look legitimate.
quuxplusone 4 hours ago
TFA writes: "Late last year NPM was basically a skip fire" — is this an idiom I should know? (Something like a misfire?) Or a typo for "ship fire"? Or something else?
[-]
- rcxdude 2 hours ago
  Skip is british term for dumpster.
sh-cho 6 hours ago
GitHub needs to support 'Immutable Release' on GitHub Actions, as soon as possible. Other methods are just workaround and easy to break just like example on the post.
nathan_douglas 7 hours ago
Wow. I did not know this. I'll bring it up in my organization.