Downloaded binaries should be hashed/verified. #34
Labels
kind/feature
Categorizes issue or PR as related to a new feature.
priority/backlog
Higher priority than priority/awaiting-more-evidence.
Comments
|
One other comment on this topic... Do we have a policy for reviewing / auditing third party tools and libraries? Obviously one of us can just grab hashes, but what about the next time when a new version of a tool releases? Edit: I would extend this to verifying dependencies in general (binary or otherwise). |
|
We do not have a policy setup/in place. |
tstromberg
added
kind/feature
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
To help ensure software supply chain security, this file needs to be hashed (SHA-2 256 or better) and verified against a copy of the hash that we store in this repository. Another option is to have the nix package manager install it, or have the user install it manually.
Originally posted by @stephen-fox in #33 (comment)
The text was updated successfully, but these errors were encountered: