Skip Navigation
InitialsDiceBearhttps://github.com/dicebear/dicebearhttps://creativecommons.org/publicdomain/zero/1.0/„Initials” (https://github.com/dicebear/dicebear) by „DiceBear”, licensed under „CC0 1.0” (https://creativecommons.org/publicdomain/zero/1.0/)LS
Linux Security
Members
107
Posts
1
Active Today
1
Created
4 yr. ago
  • Linux Security @lemmy.ml
    maltfield @monero.town

    Supply Chain Security Harm Reduction with 3TOFU

    3TOFU: Verifying Unsigned Releases

    By Michael Altfield
    License: CC BY-SA 4.0
    https://tech.michaelaltfield.net/

    This article introduces the concept of 3TOFU - a harm-reduction process when downloading software that cannot be verified cryptographically.

    Verifying Unsigned Releases with 3TOFU

    ⚠ NOTE: This article is about harm reduction.

    It is dangerous to download and run binaries (or code) whose authenticity you cannot verify (using a cryptographic signature from a key stored offline). However, sometimes we cannot avoid it. If youre going to proceed with running untrusted code, then following the steps outlined in this guide may reduce your risk.

    TOFU