mushufasa 8 hours ago

> The databases used in TeaTime are GitHub repositories tagged with the teatime-database topic, which are published on GitHub Pages.

Couldn't this be a security issue, for a bad actors to use this tag?

1
yoavm 7 hours ago

That's a fair point - I guess it could be abused. Databases are sorted by their number of GitHub stars, so I was hoping that with the power of the crowds it will be possible to minimize the bad effect such actor might have, by simply not voting them up.

mushufasa 7 hours ago

there's been several attacks recently where a bad actor takes over a repo where the original maintainer wants to take a step back, then launch a supply chain attack. in recent cases, the attack came from obfuscated binary files in the repo rather than code. given we are dealing with documents here (books) that would be easy to hide malicious code in a file. pdfs have all sorts of execution vulnerabilities for example

yoavm 7 hours ago

Interesting - I'm kinda counting on PDF.js, which is used for PDF rendering, on doing it safely, but of course that doesn't always have to be the case. Do you have any thoughts on how to make this safer?

mushufasa 5 hours ago

some other method of collection where you can hav eknown trust of the files contributed, some method of 'registering' a submission to create trust,

cicko 7 hours ago

PDFs are not executables.

samatman 1 hour ago
crest 4 hours ago

May I recommend the old 27C3 talk "OMG WTF PDF"?

taneq 4 hours ago

You’d be surprised what’s executable with the right attitude.