Matthew Crews via PLUG-discuss said on Sat, 30 Mar 2024 09:35:28 -0700 >Among the many questions that need to be asked: > >1. How can we trust source tarballs / archive files to be 100% correct >versus source code? >2. Without looking at the source code line-by-line, how do we detect >supply chain attacks before they are propagated to end users? >3. How do we properly vet source code contributors to make sure they >aren't going to perform supply chain attacks?
A huge step in the right direction is not willy-nilly using other peoples' libraries in your software. I've been preaching this for years, and people keep telling me to grow up. "Don't reinvent the wheel!" Well, when the OPC (Other Peoples Code) wheel contains spokes from one place, rims from another, hubs from a third, ball bearings from a fourth, cones from a fifth, and an axle from the sixth, the axle nuts from a seventh, and all that was needed in the first place was the hub and an axle nut, I'd rather reinvent the wheel. When I write Python code, if it can't be done with the standard library, I usually write it myself or do it in another language. I know, I know, today's software is too complex to do it yourself. Well, that's another thing that's wrong. SteveT Steve Litt Autumn 2023 featured book: Rapid Learning for the 21st Century http://www.troubleshooters.com/rl21 --------------------------------------------------- PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: https://lists.phxlinux.org/mailman/listinfo/plug-discuss