Skip to main content

Does Sigstore Really Secure The Supply Chain?

 Linux Foundation's answer to supply chain attacks is to offer a free code signing service for open source developers, called Sigstore. While on the right track it does not  mitigate all supply chain hazards.The truth is that it's not possible to completely do so.

sigstore-logo

To build useful software we don't reinvent the wheel but we base on work already done coming bundled in the form of libraries.
The problem is that even a mediocre open source project can have loads of such dependencies which themselves depend on others, forming a length chain.Not a problem per se unless you aim implanting malicious code anywhere in this chain. After all it takes just one command:

fuul article on i-programmer

Comments

Popular posts from this blog

Ingres vs Postgres MVCC Explained With Neo4j's LLM Knowledge Graph Builder

 LLM Knowledge Graph Builder is an application designed to turn unstructured data such as pdfs, text documents, YouTube videos, and web pages, into a knowledge graph stored in Neo4j, promising much better accuracy than simple RAG (Retrieval-Augmented Generation). https://www.i-programmer.info/news/80-java/17967-ingres-vs-postgres-mvcc-explained-with-neo4js-llm-knowledge-graph-builder-.html

The Advent of SQL 2024 Has Commenced

  It's Advent - the time of year when we countdown the days to Christmas - and if your are a programmer complete daily coding challenges with the Advent of Code, the Advent of Perl, the Advent of Java, Javascriptmas, etc. Now we have the Advent of SQL too with 24 SQL challenges to complete before Christmas! https://www.i-programmer.info/news/204-challenges/17678-the-advent-of-sql-2024-has-commenced.html