Posts
Linux Foundation's answer to supply chain attacks is to offer a free code signing service for open source developers, called Sigstore. While on the right track it does not mitigate all supply chain hazards.The truth is that it's not possible to completely do so.
To build useful software we don't reinvent the wheel but we base on work already done coming bundled in the form of libraries.
The problem is that even a mediocre open source project can have loads of such dependencies which themselves depend on others, forming a length chain.Not a problem per se unless you aim implanting malicious code anywhere in this chain. After all it takes just one command:
Comments