> I'd suggest you submodule in dependencies rather than curl. Supply chain attacks and versi...

susam • last Thursday at 3:18 AM • 1 reply • view on HN

> I'd suggest you submodule in dependencies rather than curl. Supply chain attacks and version incompatibilities both happen and suck

What kind of supply chain attack or version incompatibility would affect

  curl -sSL https://github.com/edicl/hunchentoot/archive/v1.3.1.tar.gz | tar -xz

but not

  git submodule add https://github.com/edicl/hunchentoot.git && cd hunchentoot/ && git checkout v1.3.1

?

Ferret7446 • last Thursday at 6:26 AM

Submodules are pinned by commit hash. It prevents an attacker from replacing a release.

➕ show 1 reply

alt Hacker News