DEV Community

loading...

Discussion on: Open-source loses a friend

Collapse
bitario profile image
Mo Bitar Author

Ideally the next step would be to use our own CDN (aka AWS), which admittedly is not a huge step up. So I'm not too sure yet what this means. But definitely, I'm more concerned about releases than I am about actual code/issues.

Collapse
eli profile image
Eli Bierman

I just came across a security issue relevant to this discussion. Gitea (a GitHub alternative hosted on GitHub) just had its releases on GitHub compromised:

github.com/go-gitea/gitea/issues/4167

The solution they're going for is to GPG sign their releases. Another probably simpler way to resolve your concerns could be to just post the SHA256 hashes of the releases on an external domain and include directions to check the hash of the release from GitHub in the installation instructions.

Thread Thread
bitario profile image
Mo Bitar Author

Yup, this is the direction I'll be going in as well.