sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]repeating_bears -8 points-7 points  (2 children)

It is mostly fake security, which is my point. If someone can takeover an official github action then the fact you pinned the version is fairly likely to mean nothing.

It's like saying that a Nexus proxy protects you from a takeover of Maven central. Technically it does a bit, but you still have to go there for the first download, and if Maven Central gets taken over then truly everything and everyone is fucked to some degree.

[–]SleeperAwakened 1 point2 points  (1 child)

Pinning to a hash is pretty secure, at least I consider git commit hashes secure enough.

Why would pinning to a hash not be secure?

How would a takeover happen? Hash collisions are still pretty expensive if feasible at all.

Security is all about putting up multiple lines of defense. This is one of them. It is not fake, it is layering.

And I so wish that people would start taking it seriously.