Am 30. Mar, 2024 schwätzte Matthew Crews via PLUG-discuss so:
This, ladies and gentlemen, is what a Supply Chain Attack looks like.
While I'm not sure that this specific vulnerability led to much harm (who
knows yet?), we're going to be feeling the after-shocks in the open source
and security industries for a long time.
Among the many questions that need to be asked:
1. How can we trust source tarballs / archive files to be 100% correct versus
source code?
Reproducible builds help with that.
2. Without looking at the source code line-by-line, how do we detect supply
chain attacks before they are propagated to end users?
Maybe peer review and audits as the code goes in. That'll take a lot of
effort, especially for small projects.
3. How do we properly vet source code contributors to make sure they aren't
going to perform supply chain attacks?
It's going to be a rough Summer for some of us.
ciao,
der.hans
-Matt
---------------------------------------------------
PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
--
# https://www.SpiralArray.com https://www.PhxLinux.org
# Im Zweifelsfall wähle das am interessantesten. -- der.hans
---------------------------------------------------
PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
