geigerzaehler
commented
2 years ago This was partially implemented for rad sync in https://github.com/radicle-dev/radicle-cli/pull/105. The command now verifies the signature but does not yet remove invalid references. The verification is not implement in rad-common which means we’re not running it in our codebase.
At the moment,
rad syncdoes not verify the authenticity of references of remote peers it fetches from a seed. As a result seeds can manipulate references of a project which can be used to inject malicious code.rad synchas the same issue (https://github.com/radicle-dev/radicle-cli/issues/88).