Commit c506ccc0 authored by Mark Lodato's avatar Mark Lodato
Browse files

Explain how SLSA can help with typosquatting.



Previously the doc said flatly that typosquatting was out of scope. But
SLSA can be a partial mitigation, so we should clarify that.
Signed-off-by: default avatarMark Lodato <lodato@google.com>
parent bb21d3e0
......@@ -552,7 +552,10 @@ cryptographic signature is no longer valid.
*Threat:* Register a package name that is similar looking to a popular package
and get users to use your malicious package instead of the benign one.
*Mitigation:* **Outside the scope of SLSA.**
*Mitigation:* **Mostly outside the scope of SLSA.** That said, the requirement
to make the source available can be a mild deterrent, can aid investigation or
ad-hoc analysis, and can complement source-based typosquatting solutions.
<sup>[[Verified history] and [Retained indefinitely] @ SLSA 3]</sup>
</details>
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment