There's a lot to be said about the security of ports supply chains. There are lots of mitigations to apply starting from the original developer, to distribution and packaging to the end user and operating system at the destination.
You can build a nice ports/pkg system, verify the source with checksums, then move up to digital signatures, and so on. Clearly you can't mock ports systems, the need for original source code should go away. Raw pip or CPAN removes some basic guard rails. But most mitigations are looking to solve one moment in the ports supply chain. Ultimately the issue is most difficult when the original developer(s) of the source are the problem, conscious or not. "But the source was signed with the developer's keys!" You can call that a verified backdoor. All the crud on PyPi is a good example. Operating system mitigations matter, since few users will actually look at the original source or even changelogs. One might think that some 3p auditor could be used to verify code changes with some projects.... then we turn into a world of blue check marks for open source code. Now let's charge a fee! We can even validate it for SOC2 compliance! "Get a blue check for your application in four days cheap!" Certainly complexity makes things worse, including on the operating system level. Cough, cough systemd. Building out complex "supply chains" for applications needs to be avoided. And witch hunts aren't going to address these larger problems. https://www.wired.com/story/jia-tan-xz-backdoor/ g _______________________________________________ talk mailing list talk@lists.nycbug.org https://lists.nycbug.org:8443/mailman/listinfo/talk
