der.hans via PLUG-discuss said on Sun, 31 Mar 2024 07:19:43 +0000 (UTC) >Am 30. Mar, 2024 schwätzte Matthew Crews via PLUG-discuss so: > >> This, ladies and gentlemen, is what a Supply Chain Attack looks like. >> >> While I'm not sure that this specific vulnerability led to much harm >> (who knows yet?), we're going to be feeling the after-shocks in the >> open source and security industries for a long time. >> >> Among the many questions that need to be asked: >> >> 1. How can we trust source tarballs / archive files to be 100% >> correct versus source code? > >Reproducible builds help with that. > >> 2. Without looking at the source code line-by-line, how do we detect >> supply chain attacks before they are propagated to end users? > >Maybe peer review and audits as the code goes in. That'll take a lot of >effort, especially for small projects. > >> 3. How do we properly vet source code contributors to make sure they >> aren't going to perform supply chain attacks? > >It's going to be a rough Summer for some of us. A couple Niklaus Wirth quotes from https://www.bostonglobe.com/2024/02/28/metro/niklaus-wirth-software-developer-who-saw-power-simplicity-dies-89/ : ============================================ “The art in engineering is not so much to make something very complicated, The art is to make a complicated problem simpler.” “When you develop a program, it’s much harder to devise a simple solution than complicated ones. Unfortunately, our computers are terribly uncritical. They swallow anything.” ============================================ Yes, it's easier to incorporate yet another library that's really a tree of dependencies, and the computer will swallow it. For the last several years, the problems caused by the complexification caused by willy-nilly use of Other People's Code (OPC) is on full display. We can audit. We can peer-review. We can crack the whip on source code providers, but as long as we increasingly complexificate our software with ever more layers of abstraction, auditing, peer-review and cracking the whip are just kicking the can down the road. KISS!!!!! SteveT Note: I'm copying the Devuan project mailing list on this post. --------------------------------------------------- PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: https://lists.phxlinux.org/mailman/listinfo/plug-discuss