1 points | by packattest 9 hours ago ago
2 comments
One thing I’m curious about:
We’ve focused a lot on provenance (where artifacts come from), but less on verifying what actually gets published.
Feels like both are needed — provenance + explicit artifact review.
Curious if others have seen similar issues in other ecosystems (pip, cargo, etc).
[dead]
One thing I’m curious about:
We’ve focused a lot on provenance (where artifacts come from), but less on verifying what actually gets published.
Feels like both are needed — provenance + explicit artifact review.
Curious if others have seen similar issues in other ecosystems (pip, cargo, etc).
[dead]