←back to thread

Immutable releases are now generally available on GitHub

(github.blog)
151 points fastest963 | 3 comments | 31 Oct 25 13:59 UTC | HN request time: 0.907s | source
Show context
eviks ◴[31 Oct 25 15:10 UTC] No.45772876[source]
Why is deletion not allowed, which supply chain attacks work by deleting a release, not changing it to a malicious one?
replies(5): >>45773196 #>>45773264 #>>45773401 #>>45773560 #>>45773758 #
1. hiccuphippo ◴[31 Oct 25 15:31 UTC] No.45773196[source]
I'd guess one MO is to delete a malicious package/url shortly after releasing it to prevent researchers from getting to it.
replies(1): >>45773226 #
2. eviks ◴[31 Oct 25 15:33 UTC] No.45773226[source]
So they wouldn't make a release immutable?
replies(1): >>45773378 #
3. zamadatix ◴[31 Oct 25 15:46 UTC] No.45773378[source]
Which means the tainted release doesn't matter anymore to those consumers worried about the immutable release attestation anyways. If others are worried about that, they should probably consume only attested immutable releases as well.

I'd still bet the larger portion was it was just a particularly easy path to preventing downgrade attacks or the like though. Could always be more to it as well I'm not thinking of, just feels likely.