(no title)
matoro | 4 years ago
> A customer reported this to us on the morning of April 1, 2021. This customer was using the shasum that is available on our Bash Uploader to confirm the integrity of the uploader fetched from https://codecov.io/bash.
> Once the customer saw a discrepancy between the shasum on Github and the shasum calculated from the downloaded Bash Uploader, they reported the issue to us, which prompted our investigation.
Just goes to show that checking published hashes is not as useless as it may seem.
koolba|4 years ago
It's better than nothing but if the first script that you are fetching is itself fetching other scripts without validation, you have the same problem, just hidden one level deeper.