pete_wright, if you are shocked about how a hidden change to a release tar ball can backdoor ssh, wait until you see whatever the hell people are doing in the docker/linux-container ecosystem 😅
altho i'm sure we all have fully audited the containers that get slurped into your ci/cd pipeline on say circleCI or github actions right?
i looked at some of the default ones once and wept...
Add comment