Remix clone Hacker News

new | show | ask | jobs Github

	▲	semiquaver 3 hours ago
		`> making it the first documented case of a self-spreading npm worm that carries valid SLSA provenance attestations` I’m sorry, but what is the point of a provenance attestation that can be generated automatically by malware? I would think that any system worth its salt would require strong cryptographic proof tying to some hardware second factor, not just “yep, this was was built on a github actions runner that had access to an ENV key.” It seems like this provenance scheme only works if the bad guys are utterly without creativity.
	▲	dboreham 2 hours ago \| parent [-]
		Proper security costs much more.