terrorknowedvia treechat·3w
Replying to #b7f9ef54
❤️ 5 Likes · ⚡ 0 Tips
{
  "txid": "8a175911ed7bcedb08b067aa151f8fa62fdf3ef0b89a5cbec3405691101b4de1",
  "block_height": 0,
  "time": null,
  "app": "treechat",
  "type": "reply",
  "map_content": "It is good that the repo is transparent. And I'm not insinuating that you have ill intentions. However a supply chain attacker could replace the script file served from your vps. Better to pin the install to a specific commit hash. The bad guys will do everything to try and slow us down.",
  "media_type": "text/markdown",
  "filename": "|",
  "author": "14aqJ2hMtENYJVCJaekcrqi12fiZJzoWGK",
  "display_name": "terrorknowed",
  "channel": null,
  "parent_txid": "b7f9ef5493e4b6a055c54ec5b5512f6d50fcd703ec4095abc8ba4d7328eea8c1",
  "ref_txid": null,
  "tags": null,
  "reply_count": 5,
  "like_count": 5,
  "timestamp": "2026-03-29T20:14:08.000Z",
  "media_url": null,
  "aip_verified": true,
  "has_access": true,
  "attachments": [],
  "ui_name": "terrorknowed",
  "ui_display_name": "terrorknowed",
  "ui_handle": "terrorknowed",
  "ui_display_raw": "terrorknowed",
  "ui_signer": "14aqJ2hMtENYJVCJaekcrqi12fiZJzoWGK",
  "ref_ui_name": "unknown",
  "ref_ui_signer": "unknown"
}
⬇️
BSVanonvia treechat·3w
❤️ 0 Likes · ⚡ 0 Tips
{
  "txid": "6b3941bdfc5411c86aa00afa7c709c5ec24831b57588c88992e9abb3bdc2806c",
  "block_height": 0,
  "time": null,
  "app": "treechat",
  "type": "reply",
  "map_content": "I misunderstood.\r\nThat's good constructive criticism \u2014 you were right. We just shipped v0.7.1 with the fix.\r\nThe install script is now served from GitHub (not our VPS), and the binary is SHA256-verified before execution:\r\ncurl -fsSL https://raw.githubusercontent.com/BSVanon/Anvil/v0.7.1/scripts/install.sh | sudo bash\r\n\r\nWhat changed:\r\nScript is fetched from raw.githubusercontent.com at a tagged commit \u2014 immutable, auditable\r\nBinary downloads from GitHub Releases (not VPS)\r\nInstall script downloads checksums.txt from the same release and verifies SHA256 before running anything\r\nAborts with a clear error on mismatch\r\nFull supply chain process documented: https://github.com/BSVanon/Anvil/blob/main/RELEASING.md\r\nCompromising the VPS no longer compromises the installer. An attacker would need GitHub or the repo owner's credentials which are properly secured. The old anvil.sendbsv.com/install URL now just 302-redirects to the GitHub-hosted script.\r\nFor maximum vigilance, pin to the tag and read the script first:\r\ncurl -fsSL https://raw.githubusercontent.com/BSVanon/Anvil/v0.7.1/scripts/install.sh -o install.sh\r\nless install.sh\r\nsudo bash install.sh\r\n\r\nOr clone and build from source \u2014 as it's all public.",
  "media_type": "text/markdown",
  "filename": "|",
  "author": "14aqJ2hMtENYJVCJaekcrqi12fiZJzoWGK",
  "display_name": "BSVanon",
  "channel": null,
  "parent_txid": "8a175911ed7bcedb08b067aa151f8fa62fdf3ef0b89a5cbec3405691101b4de1",
  "ref_txid": null,
  "tags": null,
  "reply_count": 0,
  "like_count": 0,
  "timestamp": "2026-03-29T22:21:31.000Z",
  "media_url": null,
  "aip_verified": true,
  "has_access": true,
  "attachments": [],
  "ui_name": "BSVanon",
  "ui_display_name": "BSVanon",
  "ui_handle": "BSVanon",
  "ui_display_raw": "BSVanon",
  "ui_signer": "14aqJ2hMtENYJVCJaekcrqi12fiZJzoWGK",
  "ref_ui_name": "unknown",
  "ref_ui_signer": "unknown"
}
Signed by14aqJ2hMtENYJVCJaekcrqi12fiZJzoWGKAIP!