And for malicious releases? #11
Comments
|
Oh, I just found this. Sadly, it's archived -- not sure why :( |
That list was moved here: https://github.com/cncf/tag-security/tree/main/supply-chain-security/compromises. Mint is already documented here, but Monero isn't. That list focuses on compromises rather than availability issues, which is why I started maintaining this one. :) |
|
This is great, thanks. Any chance you can ask @in-toto to pull the first repo out of archive only for one commit to update |
|
Just added a notice! Thanks for the pointer :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi Aditya,
Probably not the best place to file this issue, but I was wondering if you knew of another, similar repo that tracks historical instances where a upstream software provider's release was swapped for a malicious one?
The two most-cited occurrences are Linux Mint's 2016-02-20 hacked ISO and Monero's 2019-11-18 hacked tarballs:
I've seen several side decks from @JustinCappos that list far more vendors that have suffered attacks that could have been prevented by TUF:
Personally, I've opened many tickets trying to convince upstream maintainers to sign their releases. Sadly, I'm often met with skepticism & resistance along the lines of "but https"
I think it would be very useful if we had a repo that curated a list of important historical incidents "high profile or otherwise," where "official releases" were impacted due to malicious content being served to end users.
Do you know if such a curated list is currently maintained? Would you be interested in maintaining one?
The text was updated successfully, but these errors were encountered: