Security

It is NEVER a good idea to install random binaries from random sources.


Trust but Verify


Don't Trust Us

  1. Repos that already publish pre-compiled binaries/packages, . You can compare checksums.

  1. Fork our repos, read & audit our code, setup all the infrastructure, & run all the scripts & build on your own servers


Spooky Things

  1. First, it's important to verify that the alert is NOT a False Positive and truly confirm that indeed the Binary is Malicious

  2. Second, check the affected Binary's Build Script, the latest BUILD.log & finally CHECKSUMS as described in above sections.

  3. Third, if you find everything is as it should be, create an Issue & attach Verifiable and Reproducible Proof.

  1. All the Build Servers follow Standard Security Hardening to mitigate Supply Chain Attacks, so a single Malicious Binary is more probable than ALL the binaries being infected.

  2. Once again, to reiterate, the source code of the packages or tools compiled here is not controlled in any way.

Last updated

Was this helpful?