Peck by terrorknowed

BSVanonvia treechat·3w

Replying to #b432b3eb

❤️ 0 Likes · ⚡ 0 Tips

{
  "txid": "b7f9ef5493e4b6a055c54ec5b5512f6d50fcd703ec4095abc8ba4d7328eea8c1",
  "block_height": 0,
  "time": null,
  "app": "treechat",
  "type": "reply",
  "map_content": "You'd have a great point if this was a private blackbox repo, wouldn't you?\r\nBut it's not, inspect it all yourself, or even vibe inspect it.\r\nhttps://github.com/BSVanon/Anvil",
  "media_type": "text/markdown",
  "filename": "|",
  "author": "14aqJ2hMtENYJVCJaekcrqi12fiZJzoWGK",
  "display_name": "BSVanon",
  "channel": null,
  "parent_txid": "b432b3eb7532d8c2f701234dce6b826d949d652288cd8b6ea91e1cb84a015836",
  "ref_txid": null,
  "tags": null,
  "reply_count": 1,
  "like_count": 0,
  "timestamp": "2026-03-29T19:24:22.000Z",
  "media_url": null,
  "aip_verified": true,
  "has_access": true,
  "attachments": [],
  "ui_name": "BSVanon",
  "ui_display_name": "BSVanon",
  "ui_handle": "BSVanon",
  "ui_display_raw": "BSVanon",
  "ui_signer": "14aqJ2hMtENYJVCJaekcrqi12fiZJzoWGK",
  "ref_ui_name": "unknown",
  "ref_ui_signer": "unknown"
}

⬇️

terrorknowedvia treechat·3w

❤️ 5 Likes · ⚡ 0 Tips

{
  "txid": "8a175911ed7bcedb08b067aa151f8fa62fdf3ef0b89a5cbec3405691101b4de1",
  "block_height": 0,
  "time": null,
  "app": "treechat",
  "type": "reply",
  "map_content": "It is good that the repo is transparent. And I'm not insinuating that you have ill intentions. However a supply chain attacker could replace the script file served from your vps. Better to pin the install to a specific commit hash. The bad guys will do everything to try and slow us down.",
  "media_type": "text/markdown",
  "filename": "|",
  "author": "14aqJ2hMtENYJVCJaekcrqi12fiZJzoWGK",
  "display_name": "terrorknowed",
  "channel": null,
  "parent_txid": "b7f9ef5493e4b6a055c54ec5b5512f6d50fcd703ec4095abc8ba4d7328eea8c1",
  "ref_txid": null,
  "tags": null,
  "reply_count": 5,
  "like_count": 5,
  "timestamp": "2026-03-29T20:14:08.000Z",
  "media_url": null,
  "aip_verified": true,
  "has_access": true,
  "attachments": [],
  "ui_name": "terrorknowed",
  "ui_display_name": "terrorknowed",
  "ui_handle": "terrorknowed",
  "ui_display_raw": "terrorknowed",
  "ui_signer": "14aqJ2hMtENYJVCJaekcrqi12fiZJzoWGK",
  "ref_ui_name": "unknown",
  "ref_ui_signer": "unknown"
}

Signed by14aqJ2hMtENYJVCJaekcrqi12fiZJzoWGKAIP!

Replies (5)

BSVanonvia treechat·3w

Replying to #8a175911

❤️ 0 Likes · ⚡ 0 Tips

{
  "txid": "6b3941bdfc5411c86aa00afa7c709c5ec24831b57588c88992e9abb3bdc2806c",
  "block_height": 0,
  "time": null,
  "app": "treechat",
  "type": "reply",
  "map_content": "I misunderstood.\r\nThat's good constructive criticism \u2014 you were right. We just shipped v0.7.1 with the fix.\r\nThe install script is now served from GitHub (not our VPS), and the binary is SHA256-verified before execution:\r\ncurl -fsSL https://raw.githubusercontent.com/BSVanon/Anvil/v0.7.1/scripts/install.sh | sudo bash\r\n\r\nWhat changed:\r\nScript is fetched from raw.githubusercontent.com at a tagged commit \u2014 immutable, auditable\r\nBinary downloads from GitHub Releases (not VPS)\r\nInstall script downloads checksums.txt from the same release and verifies SHA256 before running anything\r\nAborts with a clear error on mismatch\r\nFull supply chain process documented: https://github.com/BSVanon/Anvil/blob/main/RELEASING.md\r\nCompromising the VPS no longer compromises the installer. An attacker would need GitHub or the repo owner's credentials which are properly secured. The old anvil.sendbsv.com/install URL now just 302-redirects to the GitHub-hosted script.\r\nFor maximum vigilance, pin to the tag and read the script first:\r\ncurl -fsSL https://raw.githubusercontent.com/BSVanon/Anvil/v0.7.1/scripts/install.sh -o install.sh\r\nless install.sh\r\nsudo bash install.sh\r\n\r\nOr clone and build from source \u2014 as it's all public.",
  "media_type": "text/markdown",
  "filename": "|",
  "author": "14aqJ2hMtENYJVCJaekcrqi12fiZJzoWGK",
  "display_name": "BSVanon",
  "channel": null,
  "parent_txid": "8a175911ed7bcedb08b067aa151f8fa62fdf3ef0b89a5cbec3405691101b4de1",
  "ref_txid": null,
  "tags": null,
  "reply_count": 0,
  "like_count": 0,
  "timestamp": "2026-03-29T22:21:31.000Z",
  "media_url": null,
  "aip_verified": true,
  "attachments": [],
  "ui_name": "BSVanon",
  "ui_display_name": "BSVanon",
  "ui_handle": "BSVanon",
  "ui_display_raw": "BSVanon",
  "ui_signer": "14aqJ2hMtENYJVCJaekcrqi12fiZJzoWGK",
  "ref_ui_name": "unknown",
  "ref_ui_signer": "unknown"
}

Signed by14aqJ2hMtENYJVCJaekcrqi12fiZJzoWGKAIP!

BSVanonvia treechat·3w

Replying to #8a175911

❤️ 0 Likes · ⚡ 0 Tips

{
  "txid": "b13fc4c478ee4adb96cd28373ab08203dda8eead2f11f248fb7efda5b408c277",
  "block_height": 0,
  "time": null,
  "app": "treechat",
  "type": "reply",
  "map_content": "I misunderstood.\r\nThat's good constructive criticism \u2014 you were right. We just shipped v0.7.1 with the fix.\r\nThe install script is now served from GitHub (not our VPS), and the binary is SHA256-verified before execution:\r\ncurl -fsSL https://raw.githubusercontent.com/BSVanon/Anvil/v0.7.1/scripts/install.sh | sudo bash\r\n\r\nWhat changed:\r\nScript is fetched from raw.githubusercontent.com at a tagged commit \u2014 immutable, auditable\r\nBinary downloads from GitHub Releases (not VPS)\r\nInstall script downloads checksums.txt from the same release and verifies SHA256 before running anything\r\nAborts with a clear error on mismatch\r\nFull supply chain process documented: https://github.com/BSVanon/Anvil/blob/main/RELEASING.md\r\nCompromising the VPS no longer compromises the installer. An attacker would need GitHub or the repo owner's credentials which are properly secured. The old anvil.sendbsv.com/install URL now just 302-redirects to the GitHub-hosted script.\r\nFor maximum vigilance, pin to the tag and read the script first:\r\ncurl -fsSL https://raw.githubusercontent.com/BSVanon/Anvil/v0.7.1/scripts/install.sh -o install.sh\r\nless install.sh\r\nsudo bash install.sh\r\n\r\nOr clone and build from source \u2014 as it's all public.",
  "media_type": "text/markdown",
  "filename": "|",
  "author": "14aqJ2hMtENYJVCJaekcrqi12fiZJzoWGK",
  "display_name": "BSVanon",
  "channel": null,
  "parent_txid": "8a175911ed7bcedb08b067aa151f8fa62fdf3ef0b89a5cbec3405691101b4de1",
  "ref_txid": null,
  "tags": null,
  "reply_count": 0,
  "like_count": 0,
  "timestamp": "2026-03-29T22:21:31.000Z",
  "media_url": null,
  "aip_verified": true,
  "attachments": [],
  "ui_name": "BSVanon",
  "ui_display_name": "BSVanon",
  "ui_handle": "BSVanon",
  "ui_display_raw": "BSVanon",
  "ui_signer": "14aqJ2hMtENYJVCJaekcrqi12fiZJzoWGK",
  "ref_ui_name": "unknown",
  "ref_ui_signer": "unknown"
}

Signed by14aqJ2hMtENYJVCJaekcrqi12fiZJzoWGKAIP!

BSVanonvia treechat·3w

Replying to #8a175911

❤️ 2 Likes · ⚡ 0 Tips

{
  "txid": "73b9cf86145f0f751d1162eb754bb786f1d4a73f7b34e0c9c74882317d4db37a",
  "block_height": 0,
  "time": null,
  "app": "treechat",
  "type": "reply",
  "map_content": "I misunderstood.\r\nThat's good constructive criticism \u2014 you were right. We just shipped v0.7.1 with the fix.\r\nThe install script is now served from GitHub (not our VPS), and the binary is SHA256-verified before execution:\r\ncurl -fsSL https://raw.githubusercontent.com/BSVanon/Anvil/v0.7.1/scripts/install.sh | sudo bash\r\n\r\nWhat changed:\r\nScript is fetched from raw.githubusercontent.com at a tagged commit \u2014 immutable, auditable\r\nBinary downloads from GitHub Releases (not VPS)\r\nInstall script downloads checksums.txt from the same release and verifies SHA256 before running anything\r\nAborts with a clear error on mismatch\r\nFull supply chain process documented: https://github.com/BSVanon/Anvil/blob/main/RELEASING.md\r\nCompromising the VPS no longer compromises the installer. An attacker would need GitHub or the repo owner's credentials which are properly secured. The old anvil.sendbsv.com/install URL now just 302-redirects to the GitHub-hosted script.\r\nFor maximum vigilance, pin to the tag and read the script first:\r\ncurl -fsSL https://raw.githubusercontent.com/BSVanon/Anvil/v0.7.1/scripts/install.sh -o install.sh\r\nless install.sh\r\nsudo bash install.sh\r\n\r\nOr clone and build from source \u2014 as it's all public.",
  "media_type": "text/markdown",
  "filename": "|",
  "author": "14aqJ2hMtENYJVCJaekcrqi12fiZJzoWGK",
  "display_name": "BSVanon",
  "channel": null,
  "parent_txid": "8a175911ed7bcedb08b067aa151f8fa62fdf3ef0b89a5cbec3405691101b4de1",
  "ref_txid": null,
  "tags": null,
  "reply_count": 0,
  "like_count": 2,
  "timestamp": "2026-03-29T22:55:14.000Z",
  "media_url": null,
  "aip_verified": true,
  "attachments": [],
  "ui_name": "BSVanon",
  "ui_display_name": "BSVanon",
  "ui_handle": "BSVanon",
  "ui_display_raw": "BSVanon",
  "ui_signer": "14aqJ2hMtENYJVCJaekcrqi12fiZJzoWGK",
  "ref_ui_name": "unknown",
  "ref_ui_signer": "unknown"
}

Signed by14aqJ2hMtENYJVCJaekcrqi12fiZJzoWGKAIP!

BSVanonvia treechat·3w

Replying to #8a175911

❤️ 0 Likes · ⚡ 0 Tips

{
  "txid": "ae8da0b25bf2737dfb518d55ac55630891f9d35b58e94cf66621a1e9d7fb101b",
  "block_height": 0,
  "time": null,
  "app": "treechat",
  "type": "reply",
  "map_content": "I misunderstood.\r\nThat's good constructive criticism \u2014 you were right. We just shipped v0.7.1 with the fix.\r\nThe install script is now served from GitHub (not our VPS), and the binary is SHA256-verified before execution:\r\ncurl -fsSL https://raw.githubusercontent.com/BSVanon/Anvil/v0.7.1/scripts/install.sh | sudo bash\r\n\r\nWhat changed:\r\nScript is fetched from raw.githubusercontent.com at a tagged commit \u2014 immutable, auditable\r\nBinary downloads from GitHub Releases (not VPS)\r\nInstall script downloads checksums.txt from the same release and verifies SHA256 before running anything\r\nAborts with a clear error on mismatch\r\nFull supply chain process documented: https://github.com/BSVanon/Anvil/blob/main/RELEASING.md\r\nCompromising the VPS no longer compromises the installer. An attacker would need GitHub or the repo owner's credentials which are properly secured. The old anvil.sendbsv.com/install URL now just 302-redirects to the GitHub-hosted script.\r\nFor maximum vigilance, pin to the tag and read the script first:\r\ncurl -fsSL https://raw.githubusercontent.com/BSVanon/Anvil/v0.7.1/scripts/install.sh -o install.sh\r\nless install.sh\r\nsudo bash install.sh\r\n\r\nOr clone and build from source \u2014 as it's all public.",
  "media_type": "text/markdown",
  "filename": "|",
  "author": "14aqJ2hMtENYJVCJaekcrqi12fiZJzoWGK",
  "display_name": "BSVanon",
  "channel": null,
  "parent_txid": "8a175911ed7bcedb08b067aa151f8fa62fdf3ef0b89a5cbec3405691101b4de1",
  "ref_txid": null,
  "tags": null,
  "reply_count": 0,
  "like_count": 0,
  "timestamp": "2026-03-29T22:55:14.000Z",
  "media_url": null,
  "aip_verified": true,
  "attachments": [],
  "ui_name": "BSVanon",
  "ui_display_name": "BSVanon",
  "ui_handle": "BSVanon",
  "ui_display_raw": "BSVanon",
  "ui_signer": "14aqJ2hMtENYJVCJaekcrqi12fiZJzoWGK",
  "ref_ui_name": "unknown",
  "ref_ui_signer": "unknown"
}

Signed by14aqJ2hMtENYJVCJaekcrqi12fiZJzoWGKAIP!

BSVanonvia treechat·3w

Replying to #8a175911

❤️ 0 Likes · ⚡ 0 Tips

{
  "txid": "9e05df25f80e986e1ccd18ef2b561e1a308c9413c04579bdd91e2434e7a8cd80",
  "block_height": 0,
  "time": null,
  "app": "treechat",
  "type": "reply",
  "map_content": "I misunderstood.\r\nThat's good constructive criticism \u2014 you were right. We just shipped v0.7.1 with the fix.\r\nThe install script is now served from GitHub (not our VPS), and the binary is SHA256-verified before execution:\r\ncurl -fsSL https://raw.githubusercontent.com/BSVanon/Anvil/v0.7.1/scripts/install.sh | sudo bash\r\n\r\nWhat changed:\r\nScript is fetched from raw.githubusercontent.com at a tagged commit \u2014 immutable, auditable\r\nBinary downloads from GitHub Releases (not VPS)\r\nInstall script downloads checksums.txt from the same release and verifies SHA256 before running anything\r\nAborts with a clear error on mismatch\r\nFull supply chain process documented: https://github.com/BSVanon/Anvil/blob/main/RELEASING.md\r\nCompromising the VPS no longer compromises the installer. An attacker would need GitHub or the repo owner's credentials which are properly secured. The old anvil.sendbsv.com/install URL now just 302-redirects to the GitHub-hosted script.\r\nFor maximum vigilance, pin to the tag and read the script first:\r\ncurl -fsSL https://raw.githubusercontent.com/BSVanon/Anvil/v0.7.1/scripts/install.sh -o install.sh\r\nless install.sh\r\nsudo bash install.sh\r\n\r\nOr clone and build from source \u2014 as it's all public.",
  "media_type": "text/markdown",
  "filename": "|",
  "author": "14aqJ2hMtENYJVCJaekcrqi12fiZJzoWGK",
  "display_name": "BSVanon",
  "channel": null,
  "parent_txid": "8a175911ed7bcedb08b067aa151f8fa62fdf3ef0b89a5cbec3405691101b4de1",
  "ref_txid": null,
  "tags": null,
  "reply_count": 0,
  "like_count": 0,
  "timestamp": "2026-03-29T22:55:14.000Z",
  "media_url": null,
  "aip_verified": true,
  "attachments": [],
  "ui_name": "BSVanon",
  "ui_display_name": "BSVanon",
  "ui_handle": "BSVanon",
  "ui_display_raw": "BSVanon",
  "ui_signer": "14aqJ2hMtENYJVCJaekcrqi12fiZJzoWGK",
  "ref_ui_name": "unknown",
  "ref_ui_signer": "unknown"
}

Signed by14aqJ2hMtENYJVCJaekcrqi12fiZJzoWGKAIP!