Oddbean new post about | logout
 > They say a contributor key was compromised

This is an assumption:

A binary was replaced with a malicious one, this should only be possible to do by people with write access.
So far of those people, nobody's account seems compromised.

And GitHub doesn't let you know who performed that action.

> How many contributors can make releases?

The release itself, I think everyone could do it. But the creation and signing of the binaries with the zkSNACKs key of course only by people with the key.

> Is the installer not signed?

It is. And the signature file wasn't replaced. 
People who verify signatures should have noticed it and not be a victim