←back to thread

Fifty Years of Open Source Software Supply Chain Security

(queue.acm.org)
182 points yarapavan | 1 comments | 07 Apr 25 18:04 UTC | HN request time: 0.208s | source
Show context
mlinksva ◴[07 Apr 25 18:31 UTC] No.43614464[source]
Good article for what it covers, but sadly does not cover isolation/sandboxing/least privilege.
replies(2): >>43614987 #>>43615031 #
1. Alive-in-2025 ◴[07 Apr 25 19:30 UTC] No.43614987[source]
Yes. The crucial issue to me is the increasing frequency of attacks where some piece of open source gets an update - leading to endless hidden supply chain attacks.

I don't see anything that is going to block this from getting worse and worse. It became a pretty common issue that I first heard about with npm or node.js and their variants, maybe because people update software so much there and have lots of dependencies. I don't see a solution. A single program can have huge numbers of dependencies, even c++ or java programs now.

It's not new, here's one from 6 years ago on c++ - https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c...

Don't forget log4j - https://www.infoworld.com/article/3850718/developers-apply-t..., points to this recent paper https://arxiv.org/pdf/2503.12192