| ▲ | tabwidth an hour ago | |||||||
Most of the malicious ones just curl something in a postinstall script, scanners already catch that. The sneaky ones don't look malicious until they run, and three days may not help. | ||||||||
| ▲ | MeetingsBrowser an hour ago | parent | next [-] | |||||||
There are plenty of ways to notice a malicious release without observing it running. Build provenance, maintainer alerts on new releases, tying releases to specific git tags, etc all help. | ||||||||
| ▲ | drdexebtjl an hour ago | parent | prev [-] | |||||||
Every single one now will be more sneaky, and we’ll be operating on a 3-day cooldown for no reason. | ||||||||
| ||||||||