Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rephrase "The update did not match the code submitted to GitHub"? #1213

Open
TomHennen opened this issue Oct 21, 2024 · 1 comment
Open

Rephrase "The update did not match the code submitted to GitHub"? #1213

TomHennen opened this issue Oct 21, 2024 · 1 comment
Labels

Comments

@TomHennen
Copy link
Contributor

          >The update did not match the code submitted to GitHub

this phrase is used a few times here, but I'm not sure what it means.
I think it has to mean basically "use of compromised dependency."
IE, the revision consumed was not the one provided in the build inputs, but I think that's not very clear from this sentence.

I recommend replacing all usage with: "The update used unauthorized build inputs."

Originally posted by @zachariahcox in #1209 (comment)

@TomHennen
Copy link
Contributor Author

From what I can tell this phrase is only used once in "Known example" text for "Use compromised dependency". So it's referring to a specific event (the event-stream attack).

In that attack the idea is that the maintainer had a package that purported to be from GitHub repo X, but uploaded a package that wasn't from repo X. Since there wasn't any SLSA verification in place, I don't think it's correct to say the update used unauthorized build inputs.

Perhaps "The updated binary was not built from the purported source code"?

@TomHennen TomHennen changed the title >The update did not match the code submitted to GitHub Rephrase "The update did not match the code submitted to GitHub"? Oct 21, 2024
@lehors lehors moved this to Todo in SLSA 1.1 Nov 26, 2024
@lehors lehors added this to SLSA 1.1 Nov 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Status: 🆕 New
Status: Todo
Development

No branches or pull requests

1 participant