top | item 43373787 (no title) marsovo | 11 months ago I don't think that's exactly what happened here: the compromise created new tags but generally the tag consumption relies on semantic versioningIn other words: you specify version 44, the attacker creates 44.1, you're still hosed. discuss order hn newest BlackFingolfin|11 months ago No you literally can (and the attackers did) change version 44 (the tag for it) to point to a different compromised commmit marsovo|11 months ago Yes, you're right. I wasn't able to double-check as the repo was deleted at the time. That said, AIUI making the tags read-only would still often be vulnerable to semantic-version exploitation.
BlackFingolfin|11 months ago No you literally can (and the attackers did) change version 44 (the tag for it) to point to a different compromised commmit marsovo|11 months ago Yes, you're right. I wasn't able to double-check as the repo was deleted at the time. That said, AIUI making the tags read-only would still often be vulnerable to semantic-version exploitation.
marsovo|11 months ago Yes, you're right. I wasn't able to double-check as the repo was deleted at the time. That said, AIUI making the tags read-only would still often be vulnerable to semantic-version exploitation.
BlackFingolfin|11 months ago
marsovo|11 months ago