FOSS is based on cooperation and trust. And we tend to place some measure of trust in open projects, because "they can be validated by everyone". (This is dangerous, but that's another story.)
A malicious actor can use that.
There are plenty of repositories on GH that have no code. Just a readme and nothing else. However, their releases still have a "Source code" entry and you may assume that they chose to provide the sources this way.
They didn't. Nobody can validate their code. Be careful.
Yuri :godot: /
npub1dg…aryun
2024-11-12 15:31:15
in reply to nevent1q…fvk6
Author Public Key
npub1dgrvnlut7spp5grmfat3j6l5t8tf2t9utm5t2zt0maaysayukd4s5aryunSeen on
wss://relay.nostr.bandPublished at
2024-11-12 15:31:15Event JSON
{
"id": "0d10889dca810f52d131e4d000e62a04895cd515bee7f3580b7d90c067ea6eb7",
"pubkey": "6a06c9ff8bf4021a207b4f57196bf459d6952cbc5ee8b5096fdf7a48749cb36b",
"created_at": 1731425475,
"kind": 1,
"tags": [
[
"e",
"b504166fd0994987a19a34a360330790e0ebce0b2f16722400c70a79993c4331",
"wss://relay.mostr.pub",
"reply"
],
[
"proxy",
"https://mastodon.gamedev.place/users/yurisizov/statuses/113470699937742948",
"activitypub"
]
],
"content": "FOSS is based on cooperation and trust. And we tend to place some measure of trust in open projects, because \"they can be validated by everyone\". (This is dangerous, but that's another story.)\n\nA malicious actor can use that.\n\nThere are plenty of repositories on GH that have no code. Just a readme and nothing else. However, their releases still have a \"Source code\" entry and you may assume that they chose to provide the sources this way.\n\nThey didn't. Nobody can validate their code. Be careful.",
"sig": "85c64b2dd5a3d39b2ddf997e94e268590a23c024e6dc4eaaa05300472e6f7d81536e2225269a10365326db6cd63617ee852d0918b7e5d46df0a3f351fb639ca9"
}