Skip to content

Commit

Permalink
Remove additional the
Browse files Browse the repository at this point in the history 
Co-authored-by: Jonah Aragon <[email protected]>
Signed-off-by: Daniel Nathan Gray <[email protected]>
  • Loading branch information
@dngray @jonaharagon
dngray and jonaharagon authored Apr 11, 2024
1 parent c4a5f24 commit ed0a6a0
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion docs/basics/common-threats.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ There are few ways in which this type of attack might be carried out:

These sorts of attacks can require a lot of time and preparation to perform and are risky because they can be detected, particularly in open source projects if they are popular and have outside interest. Unfortunately they're also one of the most dangerous as they are very hard to mitigate entirely. We would encourage readers only use software which has a good reputation and makes an effort to reduce risk by:

1. Only adopting popular software that has been around for a while. The more interest in a project the, the greater likelihood that external parties will notice malicious changes. A malicious actor will also need to spend more time gaining community trust with meaningful contributions.
1. Only adopting popular software that has been around for a while. The more interest in a project the greater likelihood that external parties will notice malicious changes. A malicious actor will also need to spend more time gaining community trust with meaningful contributions.
2. Make sure software you use builds released binaries with widely-used, trusted build infrastructure platforms (i.e. GitHub workflows) as opposed to developer workstations or self-hosted servers. This is in order to reduce the attack surface and give confidence that the binaries produced are in fact produced correctly.
3. Code signing on individual commits and releases increases an auditable trail of who did what. For example: Was the malicious code in the software repository? Which developer added it? Was it added during the build process?
4. In open source projects the code should have meaningful commit messages (such as [conventional commits](https://conventionalcommits.org)) which explain what the change is supposed accomplish. Clear messages make it easier for outsiders to the project to verify, audit and find bugs.
Expand Down

0 comments on commit ed0a6a0

Please sign in to comment.