←back to thread

Immutable releases are now generally available on GitHub

(github.blog)
151 points fastest963 | 1 comments | 31 Oct 25 13:59 UTC | HN request time: 0s | source
Show context
eviks ◴[31 Oct 25 15:10 UTC] No.45772876[source]
Why is deletion not allowed, which supply chain attacks work by deleting a release, not changing it to a malicious one?
replies(5): >>45773196 #>>45773264 #>>45773401 #>>45773560 #>>45773758 #
danudey ◴[31 Oct 25 16:16 UTC] No.45773758[source]
1. A release turns out to contain an exploitable bug

2. A release is published to fix the bug

3. Someone malicious with access deletes the release

4. Everyone downloading the "latest" version gets the exploitable version until the developers notice and re-publish again

I think about tools used in CI systems that are often re-downloaded in each run, like `helm` or `kubectl` or `crane` for example; if they're pinning a previous version they stay exploitable, and if they're downloading the 'latest' from Github then this switcheroo keeps them exploitable. Given that a lot of emergency security releases come with disclosure ("this is being released to resolve CVE-2025-12345") another 12 hours of exploitability can be critical.

replies(1): >>45773857 #
1. eviks ◴[31 Oct 25 16:26 UTC] No.45773857[source]
Thanks, interesting scenario, but if you have access to releases like that how is this easier vs just publishing a release with an exploit and getting the same X hours before you're discovered?