logoalt Hacker News

MeetingsBrowseryesterday at 11:25 PM0 repliesview on HN

There are plenty of ways to notice a malicious release without observing it running.

Build provenance, maintainer alerts on new releases, tying releases to specific git tags, etc all help.