@chansecodina @hyc @coderanger I guess my problem with this direction is that I don't think it really addresses the problem. It's taking the real problem, the JiaTan situation, and saying "well we can't solve that problem, but we can solve this appears to be related problem over here" but IMO that apparently unrelated problem isn't one that actually matters.
At the end of the day the 'root of trust' for a particular project or component is functionally their website, and TLS shuts down the easy/practical ways to insert oneself into that. Most certificate exchange or hashing mechanisms would also be delivered via the same website so compromise of that is compromise of everything. And things like BOMs tend to give a false sense of 'security' being offered by what is morally an attestation.
Billy O'Neal
@malwareminigun@infosec.exchange
Dev at Microsoft on the vcpkg team. Former @VisualC STL maintainer. He/Him (Although I don’t care much)
infosec.exchange
Billy O'Neal
@malwareminigun@infosec.exchange
Dev at Microsoft on the vcpkg team. Former @VisualC STL maintainer. He/Him (Although I don’t care much)
infosec.exchange
@malwareminigun@infosec.exchange
·
Mar 24, 2026
0
2
0
Conversation (2)
Showing 0 of 2 cached locally.
Syncing comments from the remote thread. 2 more replies are still loading.
Loading comments...