Matthias Pigulla

In the special case of the NPM package 👆🏻 mentioned above, seemingly the package maintainer's NPM account was breached so malicious package versions could be published under their name. (My...

In which cases do signatures add value over downloading the .zip files generated by GitHub over HTTPS? If someone breaks into the maintainer's GitHub account and modifies code? Would it...

The blog post from the initial comment seems to be no longer available but has been archived at https://web.archive.org/web/20150304203959/http://blog.astrumfutura.com/2015/03/securely-distributing-phars-pitfalls-and-solutions/. Regarding Symfony and Fabien Potenciers article, the repo hosting the checksums...

I've tried to read up a bit on the topic and I must say that [the challenge](https://theupdateframework.github.io/security.html) appears to be so big it is daunting. In the one corner, there's...

Any chance we can attack this with a "think big start small" mindset? What if, for example, maintainers with a packagist.com account could manage their public signing keys there? Keys...

Could somebody please add a little more context regarding when exactly this problem occurs? What are these "multiple servers" from the OP, and how do they create the archives? For...

Hey @peff 👋🏼, you've been very helpful back in 2017 over at Homebrew/homebrew-core#18044, where the Homebrew team had to deal with checksums for GitHub repo archives that suddenly changed. To...

Jordi, thank you for getting back to this (c)old case so quickly. The reason why I was browsing this and related issues (#5940, #4022) is that I was hoping that...

Thank you @vladaionescu for the quick answer! To stick with the `yarn` example, there is a lot of subcommands (`install`, `add`, `upgrade`, ...) that one might want to run during...

Support for the `WhatFailureGroupHandler` is in #107.