Just picking out one point below. On Wed, Dec 30, 2020 at 12:47 PM Greg Stein <gst...@gmail.com> wrote:
> On Tue, Dec 29, 2020 at 8:08 PM Brennan Ashton <bash...@brennanashton.com> > wrote: > [...] > TBH I don't see how the threat surface here is that much different > > than pulling down > > packages from pypi to npm at build time. > > > And that is why those packages should be pinned and checksums verified, > too. Do people do that? Nope. Should they? Yup. (and Infra falls into the > "we could do better, too"; not casting stones) > Not for npm packages, but rather Maven repo artifacts, we have just started using Gradle's dependency verification mechanism[1]. It allows you to check checksums and signatures of all downloaded artifacts against an accepted list. You can think of this as double accounting to verify artifacts that make their way into our builds. Other projects using Gradle (version 6.2 and above) might also like to consider using that. Cheers, Paul. [1] https://docs.gradle.org/current/userguide/dependency_verification.html
