Matthew Crews via PLUG-discuss said on Sat, 30 Mar 2024 09:35:28 -0700
>Among the many questions that need to be asked:
>
>1. How can we trust source tarballs / archive files to be 100% correct
>versus source code?
>2. Without looking at the source code line-by-line, how do we detect
>supply chain attacks before they are propagated to end users?
>3. How do we properly vet source code contributors to make sure they
>aren't going to perform supply chain attacks?
A huge step in the right direction is not willy-nilly using other
peoples' libraries in your software. I've been preaching this for
years, and people keep telling me to grow up. "Don't reinvent the
wheel!"
Well, when the OPC (Other Peoples Code) wheel contains spokes from one
place, rims from another, hubs from a third, ball bearings from a
fourth, cones from a fifth, and an axle from the sixth, the axle nuts
from a seventh, and all that was needed in the first place was the hub
and an axle nut, I'd rather reinvent the wheel.
When I write Python code, if it can't be done with the standard
library, I usually write it myself or do it in another language.
I know, I know, today's software is too complex to do it yourself.
Well, that's another thing that's wrong.
SteveT
Steve Litt
Autumn 2023 featured book: Rapid Learning for the 21st Century
http://www.troubleshooters.com/rl21
---------------------------------------------------
PLUG-discuss mailing list:
PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
(text/plain)