@yuki_the_maven I guess coming from kind of a n00b perspective, replacing the binary while malware while the app still worked seemed sophisticated. But, this is bad news for Gitea at the time when they could be getting the biggest user growth. I wouldn't have known to sign the binary, but if they didn't that makes me concerned they could overlook other simple security stuff. So then, I should use GitLab instead kind of thing.

@stephen bad news indeed, when I read your post I was, in fact, going through the docs considering a deployment lol.bad timing but seems that they employed mitigations. I'm still confused on the point of automated signatures mentioned though.

@yuki_the_maven Done a lil more research. Looks like reproducible builds are necessary in order to be able to confirm authenticity and they don't seem close to that. https://github.com/go-gitea/gitea/issues/4181
Can't say I can put great confidence in them until they get repro'dable builds and release a post-mortem. Musta been a MS op to stop ppl leaving github.

https://news.ycombinator.com/item?id=17260221

https://grh.am/2018/a-look-at-the-compromised-gitea-release/

@stephen interesting!
afaik reproducible builds solve a different problem than the one of this issue, in this case gpg signing the binary published so that it's possible to verify its authenticity seems to be enough. unless the signing key is compromised ofc.
a postmortem would be nice indeed

@stephen on the point of being a msft sabotage op, idk. timeline kinda matches but as pointed in the hn thread gitea is a very different tool than github, I'm not sure I would consider it a competitor

@yuki_the_maven Tbh signed binaries and reproducible builds are above my head. haha i don't think MS has a black ops team. unless... do you think ms has a black ops team?

@stephen I'm sure they do. they definitely do.

@stephen reproducible builds = if we both compile from same source we both get a binary that is same byte-by-byte. then given a hash/sig I can verify that my local compile build what I expected it to, and in lack of a centrally (or by gossip?) issued hash/sig I can compare with my neighbors.
signed = signed with public key cryptography. only legitimate owner of the key can generate that specific sig and whoever in possess of the public key can use it to verify authenticity. must keep key secure

@yuki_the_maven So is what composer does the reproducible build method then? Or is that something else? https://getcomposer.org/download/

@stephen no composer solves the problem of dependency management. php does not have a compilation stage so it's not the same as a reproducible build. still composer helps meaning that for a certain release you want to combine your source code with certain versions of your dependencies. if composer can pin or vendor versions then it *kinda* solves the analogous problem for interpreted languages

@yuki_the_maven Sorry I wasn't clear, I meant actually downloading composer

`hash_file('SHA384', 'composer-setup.php') == [hash]`

Is part of the download instructions. I was wondering if you knew if that is one of these methods or maybe another method of checking a binary. Thanks for the knowledge though, this stuff is super interesting.

@stephen aaaahhh I see. no, that script id sownloading the composer installer, that is a php script and not a binary, calculating the sha384 hash of the file and comparing it against a known hash published by the vendor. simpler than gpg sign and does not require key management but easier to provide an user with tampered hashes, while signatures are resistant to this