Feross (@feross) “This is what I've been saying since starting Socket in 2020. You need to look at” — TopicDigg
Feross
@feross
⚡️ Founder + CEO @SocketSecurity ( • 🌲 Visiting lecturer @Stanford ( • ❤️ Open source @WebTorrentApp + @StandardJS
加入 August 2008
1.6K 正在关注 40.5K 粉丝
This is what I've been saying since starting Socket in 2020. You need to look at what the code actually does.
Signing and provenance are a bit helpful and definitely not sufficient
I read this on a GitHub comment on the tanstack repo:
> Right now, it feels like provenance answers “where the package came from”, but not necessarily “is install-time behavior trustworthy?”.
Yes.
That has always been the case.
显示更多
