Most active commenters
  • LtWorf(4)

←back to thread

Fifty Years of Open Source Software Supply Chain Security

(queue.acm.org)
182 points yarapavan | 14 comments | 07 Apr 25 18:04 UTC | HN request time: 0.256s | source | bottom
1. mlinksva ◴[07 Apr 25 18:31 UTC] No.43614464[source]
Good article for what it covers, but sadly does not cover isolation/sandboxing/least privilege.
replies(2): >>43614987 #>>43615031 #
2. Alive-in-2025 ◴[07 Apr 25 19:30 UTC] No.43614987[source]
Yes. The crucial issue to me is the increasing frequency of attacks where some piece of open source gets an update - leading to endless hidden supply chain attacks.

I don't see anything that is going to block this from getting worse and worse. It became a pretty common issue that I first heard about with npm or node.js and their variants, maybe because people update software so much there and have lots of dependencies. I don't see a solution. A single program can have huge numbers of dependencies, even c++ or java programs now.

It's not new, here's one from 6 years ago on c++ - https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c...

Don't forget log4j - https://www.infoworld.com/article/3850718/developers-apply-t..., points to this recent paper https://arxiv.org/pdf/2503.12192

3. bitwize ◴[07 Apr 25 19:34 UTC] No.43615031[source]
Indeed. In 2020s, if you're not sandboxing each thing, and then sandboxing each library the thing depends on, you're running with way too many opportunities for vulnerability.
replies(1): >>43615529 #
4. LtWorf ◴[07 Apr 25 20:19 UTC] No.43615529[source]
Well said! How?
replies(3): >>43615593 #>>43617134 #>>43617404 #
5. bitwize ◴[07 Apr 25 20:26 UTC] No.43615593{3}[source]
I have no freaking idea. Needless to say I don't think our current operating systems are up to the task of actually being secure. You have to be able to somehow dynamic-link in a library whilst only giving calls into that library certain permissions/capabilities... which I don't think even Windows can do.
replies(4): >>43615767 #>>43615910 #>>43616588 #>>43617962 #
6. huijzer ◴[07 Apr 25 20:46 UTC] No.43615767{4}[source]
Didn’t Jess Frazelle have most of her dependencies running inside lots of Docker containers for a while? She went pretty far and also kept it up for a long time. E.g., https://blog.jessfraz.com/post/docker-containers-on-the-desk...
replies(1): >>43659428 #
7. GuinansEyebrows ◴[07 Apr 25 21:03 UTC] No.43615910{4}[source]
Ignorant reply here, but would openbsd's `pledge` and `unveil` sorta cover what you're talking about?
replies(1): >>43616075 #
8. LtWorf ◴[07 Apr 25 21:21 UTC] No.43616075{5}[source]
At the library level? Not as far as I know…
9. gizmo686 ◴[07 Apr 25 22:22 UTC] No.43616588{4}[source]
Forget OS support, is that something that modern CPUs can support efficiently? As far as I can tell, enforcing a security boundary across libraries would require changing the page table twice for every library call, which seems like a big performance hit.
10. mlinksva ◴[07 Apr 25 23:56 UTC] No.43617134{3}[source]
I don't really know because I haven't put work in to investigate, but some things in that direction seem to be, possibly in order of some combination of maturity and comprehensiveness.

  - CHERI compartmentalisation
  - LavaMoat (js)
  - Scala "capture checking"
  - Java "integrity by default"
replies(1): >>43618873 #
11. zzo38computer ◴[08 Apr 25 01:00 UTC] No.43617404{3}[source]
I have some ideas about operating system design (and stuff relating to the CPU design, too) to help with this and other issues (e.g. network transparency, resisting fingerprinting, better user programmability and interoperability, etc). This means that it is fully deterministic except I/O, and all I/O uses capabilities which may be proxied etc. Libraries may run in separate processes if desired (but this is not always required). However, other differences compared with existing systems is also necessary for improved security (and other improvements); merely doing other things like existing systems do has some problems. For example, USB will not be used, and Unicode also will not be used. Atomic locking/transactions of multiple objects at once will be necessary, too (this can avoid many kind of race conditions with existing systems, as well as other problems). File access is not done by names (files do not have names). And then, a specific implementation and distribution may have requirements and checking for the packages provided in the package manager and in the default installation (and the specification will include recommendations). These things alone still will not solve everything, but it is a start.
12. izacus ◴[08 Apr 25 02:55 UTC] No.43617962{4}[source]
Then maybe your notion of security is useless in the real world and needs a rethink.

Security, when practiced, is a fundamentally practical discipline that needs to work with the world as is, not with dreams of putting people in basements in chains.

13. LtWorf ◴[08 Apr 25 06:24 UTC] No.43618873{4}[source]
I haven't really understood how lavamoat works (if it works).
14. LtWorf ◴[11 Apr 25 22:35 UTC] No.43659428{5}[source]
How would that protect you from a library?