←back to thread

Fifty Years of Open Source Software Supply Chain Security

(queue.acm.org)
182 points yarapavan | 7 comments | 07 Apr 25 18:04 UTC | HN request time: 0.832s | source | bottom
Show context
mlinksva ◴[07 Apr 25 18:31 UTC] No.43614464[source]
Good article for what it covers, but sadly does not cover isolation/sandboxing/least privilege.
replies(2): >>43614987 #>>43615031 #
bitwize ◴[07 Apr 25 19:34 UTC] No.43615031[source]
Indeed. In 2020s, if you're not sandboxing each thing, and then sandboxing each library the thing depends on, you're running with way too many opportunities for vulnerability.
replies(1): >>43615529 #
LtWorf ◴[07 Apr 25 20:19 UTC] No.43615529[source]
Well said! How?
replies(3): >>43615593 #>>43617134 #>>43617404 #
1. bitwize ◴[07 Apr 25 20:26 UTC] No.43615593[source]
I have no freaking idea. Needless to say I don't think our current operating systems are up to the task of actually being secure. You have to be able to somehow dynamic-link in a library whilst only giving calls into that library certain permissions/capabilities... which I don't think even Windows can do.
replies(4): >>43615767 #>>43615910 #>>43616588 #>>43617962 #
2. huijzer ◴[07 Apr 25 20:46 UTC] No.43615767[source]
Didn’t Jess Frazelle have most of her dependencies running inside lots of Docker containers for a while? She went pretty far and also kept it up for a long time. E.g., https://blog.jessfraz.com/post/docker-containers-on-the-desk...
replies(1): >>43659428 #
3. GuinansEyebrows ◴[07 Apr 25 21:03 UTC] No.43615910[source]
Ignorant reply here, but would openbsd's `pledge` and `unveil` sorta cover what you're talking about?
replies(1): >>43616075 #
4. LtWorf ◴[07 Apr 25 21:21 UTC] No.43616075[source]
At the library level? Not as far as I know…
5. gizmo686 ◴[07 Apr 25 22:22 UTC] No.43616588[source]
Forget OS support, is that something that modern CPUs can support efficiently? As far as I can tell, enforcing a security boundary across libraries would require changing the page table twice for every library call, which seems like a big performance hit.
6. izacus ◴[08 Apr 25 02:55 UTC] No.43617962[source]
Then maybe your notion of security is useless in the real world and needs a rethink.

Security, when practiced, is a fundamentally practical discipline that needs to work with the world as is, not with dreams of putting people in basements in chains.

7. LtWorf ◴[11 Apr 25 22:35 UTC] No.43659428[source]
How would that protect you from a library?