Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> I'd suggest you submodule in dependencies rather than curl. Supply chain attacks and version incompatibilities both happen and suck

What kind of supply chain attack or version incompatibility would affect

  curl -sSL https://github.com/edicl/hunchentoot/archive/v1.3.1.tar.gz | tar -xz
but not

  git submodule add https://github.com/edicl/hunchentoot.git && cd hunchentoot/ && git checkout v1.3.1

?




Submodules are pinned by commit hash. It prevents an attacker from replacing a release.

reply


That is very handy to know.

reply


You can achieve roughly the same by writing down the SHA256 hash the first time you download and then comparing when you download the next time.

But, yeah, while I do not like submodules, for vendoring stuff it seems a reasonable approach. There's also https://github.com/fosskers/vend if you lean that way.

reply




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: