Supply chain risks are important in open source: with so many contributors, how can one be sure that there aren't malicious components?
(Buggy components are also a threat.) (Closed source has this problem too, with some variations.) This is a scary real current example: <https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/amp/> As I understand it, this malicious software tried to damage systems in Russia and Belarus. That's terrible. And it has had unintended side-effects: <https://web.archive.org/web/20220317140340/https://github.com/RIAEvangelist/node-ipc/issues/308> (One could also argue that leaving important information in Belarus, with no recent backup, is a very dumb.) --- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
