Unverified Commit 6635577b authored by Mark Lodato's avatar Mark Lodato Committed by GitHub
Browse files

Merge pull request #252 from MarkLodato/typosquatting

Explain how SLSA can help with typosquatting.
parents bb21d3e0 c506ccc0
......@@ -552,7 +552,10 @@ cryptographic signature is no longer valid.
*Threat:* Register a package name that is similar looking to a popular package
and get users to use your malicious package instead of the benign one.
*Mitigation:* **Outside the scope of SLSA.**
*Mitigation:* **Mostly outside the scope of SLSA.** That said, the requirement
to make the source available can be a mild deterrent, can aid investigation or
ad-hoc analysis, and can complement source-based typosquatting solutions.
<sup>[[Verified history] and [Retained indefinitely] @ SLSA 3]</sup>
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment