Rephrase "The update did not match the code submitted to GitHub"?

Question

Rephrase "The update did not match the code submitted to GitHub"?

Opened this issue a month ago · 1 comments

          >The update did not match the code submitted to GitHub

this phrase is used a few times here, but I'm not sure what it means.
I think it has to mean basically "use of compromised dependency."
IE, the revision consumed was not the one provided in the build inputs, but I think that's not very clear from this sentence.

I recommend replacing all usage with: "The update used unauthorized build inputs."

Originally posted by @zachariahcox in #1209 (comment)

Answer 1 · 2024-10-21T19:18:45.000Z

From what I can tell this phrase is only used once in "Known example" text for "Use compromised dependency". So it's referring to a specific event (the event-stream attack).

In that attack the idea is that the maintainer had a package that purported to be from GitHub repo X, but uploaded a package that wasn't from repo X. Since there wasn't any SLSA verification in place, I don't think it's correct to say the update used unauthorized build inputs.

Perhaps "The updated binary was not built from the purported source code"?