Skip to main content

Does Sigstore Really Secure The Supply Chain?

 Linux Foundation's answer to supply chain attacks is to offer a free code signing service for open source developers, called Sigstore. While on the right track it does not  mitigate all supply chain hazards.The truth is that it's not possible to completely do so.

sigstore-logo

To build useful software we don't reinvent the wheel but we base on work already done coming bundled in the form of libraries.
The problem is that even a mediocre open source project can have loads of such dependencies which themselves depend on others, forming a length chain.Not a problem per se unless you aim implanting malicious code anywhere in this chain. After all it takes just one command:

fuul article on i-programmer

Labels:

Comments

Post a Comment

Popular posts from this blog

RAG from Scratch

  The "RAG from Scratch" tutorial by Langchain coupled with the "RAG playground" are two great educational resources that will help you kickstart your journey with RAG. https://www.i-programmer.info/news/105-artificial-intelligence/17676-rag-from-scratch.html
Post a Comment
Read more

Hour Of Code 2024 Is About To Kick Off

  This year the event that aims to provide a coding experience for all school students and anyone else who wants to join in runs between December 9th and 15th and includes new activities. Let's find out all about it! https://www.i-programmer.info/news/150-training-a-education/17664-hour-of-code-2024-is-about-to-kick-off.html
Post a Comment
Read more