2 comments

[ 1.0 ms ] story [ 12.4 ms ] thread
I think they're being too lenient to be honest. Projects were assuming too much by recording and relying upon those hashes.
> If you rely on stable archives for security (ensuring you don’t accidentally trigger a tarbomb, for example), we recommend you switch to release assets instead of using source downloads.

Isn't that actually the only way you could get a zipbomb? git-archive will never generate a zipbomb...