Am 30. Mar, 2024 schwätzte Matthew Crews via PLUG-discuss so:

> This, ladies and gentlemen, is what a Supply Chain Attack looks like.
>
> While I'm not sure that this specific vulnerability led to much harm (who 
> knows yet?), we're going to be feeling the after-shocks in the open source 
> and security industries for a long time.
>
> Among the many questions that need to be asked:
>
> 1. How can we trust source tarballs / archive files to be 100% correct versus 
> source code?

Reproducible builds help with that.

> 2. Without looking at the source code line-by-line, how do we detect supply 
> chain attacks before they are propagated to end users?

Maybe peer review and audits as the code goes in. That'll take a lot of
effort, especially for small projects.

> 3. How do we properly vet source code contributors to make sure they aren't 
> going to perform supply chain attacks?

It's going to be a rough Summer for some of us.

ciao,

der.hans

> -Matt
> ---------------------------------------------------
> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>

-- 
#  https://www.SpiralArray.com   https://www.PhxLinux.org
#  Im Zweifelsfall wähle das am interessantesten. -- der.hans