Am 30. Mar, 2024 schwätzte Matthew Crews via PLUG-discuss so:
> This, ladies and gentlemen, is what a Supply Chain Attack looks like.
>
> While I'm not sure that this specific vulnerability led to much harm (who
> knows yet?), we're going to be feeling the after-shocks in the open source
> and security industries for a long time.
>
> Among the many questions that need to be asked:
>
> 1. How can we trust source tarballs / archive files to be 100% correct versus
> source code?
Reproducible builds help with that.
> 2. Without looking at the source code line-by-line, how do we detect supply
> chain attacks before they are propagated to end users?
Maybe peer review and audits as the code goes in. That'll take a lot of
effort, especially for small projects.
> 3. How do we properly vet source code contributors to make sure they aren't
> going to perform supply chain attacks?
It's going to be a rough Summer for some of us.
ciao,
der.hans
> -Matt
> ---------------------------------------------------
> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
--
#
https://www.SpiralArray.com https://www.PhxLinux.org
# Im Zweifelsfall wähle das am interessantesten. -- der.hans---------------------------------------------------
PLUG-discuss mailing list:
PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
(text/plain)