Comment on A sneaky demonstration of the dangers of curl bash
ShortN0te@lemmy.ml 17 hours agoTo achieve a compromised update you either need to compromise the update infrastructure AND the key or the infratstructure AND exploit the local updater to accept the invalid or forged signature.
As i said, to compromise a signature checked update over the internet you need to compromise both, the distributing infrastructure AND the key. With just either one its not possible. (Ignoring flaws in the code ofc)
xylogx@lemmy.world 16 hours ago
Take a look at Shai Hulud. All the attacker had was the key.
ShortN0te@lemmy.ml 14 hours ago
Yes, the secrets to submit to the distribution system got compromised and therefore the system got compromised.