Skip to content
When you pull an OCI image from the registry, you implicitly trust that it contains what its builder claims it does. They may even provide an SBOM for this image, but the SBOM itself must also be trusted. Nothing prevents a builder from reporting an innocuous SBOM, while injecting malware into the image. Reproducible builds render this sort of undetectable tampering impossible: A user can directly...
Reproducible builds in Project Hummingbird | Huntaegis