←back to thread

Fifty Years of Open Source Software Supply Chain Security

(queue.acm.org)
182 points yarapavan | 3 comments | 07 Apr 25 18:04 UTC | HN request time: 0s | source
Show context
neuroelectron ◴[07 Apr 25 21:30 UTC] No.43616167[source]
Very suspicious article. Sounds like the "nothing to see here folks, move along" school of security.

Reproducibility is more like a security smell; a symptom you’re doing things right. Determinism is the correct target and subtly different.

The focus on supply chain is a distraction, a variant of The “trusting trust” attack Ken Thompson described in 1984 is still among the most elegant and devastating. Infected development toolchains can spread horizontally to “secure” builds.

Just because it’s open doesn’t mean anyone’s been watching closely. "50 years of security"? Important pillars of OSS have been touched by thousands of contributors with varying levels of oversight. Many commits predate strong code-signing or provenance tracking. If a compiler was compromised at any point, everything it compiled—including future versions of itself—could carry that compromise forward invisibly. This includes even "cleanroom" rebuilds.

replies(4): >>43616257 #>>43617725 #>>43621870 #>>43622202 #
1. TZubiri ◴[08 Apr 25 02:09 UTC] No.43617725[source]
I agree that it's handwavy, my take on supply chain vulns is that the only way to fight them is to reduce dependencies, massively.

Additionally the few dependencies you have should be well compensated to avoid 'alternative monetization'.

You can't have the cake (massive amounts of gratis software) and eat it too (security and quality warranties).

The 100 layers of signing and layer 4 package managers is a huge coping mechanism by those that are not ready to bite the tradeoff.

replies(1): >>43618055 #
2. pabs3 ◴[08 Apr 25 03:15 UTC] No.43618055[source]
The amount of software depended on is always going to be massive, its not like every developer is going to write a BIOS, kernel, drivers, networking stack, compilers, interpreters, and so on for every project. So there will always be a massive iceberg of other people's code underneath what each developer writes.
replies(1): >>43636451 #
3. TZubiri ◴[09 Apr 25 19:17 UTC] No.43636451[source]
Sure, but all of those you mentioned are part of a base OS.

I'm not sure what the fallacy is called, but you say we have an excess of X and then the fallacy is "we can't live without X".

Modern projects especially in the javascript realm have like 10K dependencies. Having one dependency in an Operating System(even though it may itself have their own dependencies) is a huuuuuuuuuge difference.

You can pay cash money to Windows or Red Hat and have either a company that owns all of the deps, or a company that vets all of the dependencies, distributes some cash through donations, and provides a sensible base package.

It may sound extreme, but you don't need much more than a Base OS. If you reaaallly want something else, you can check the OS official package repository. Downloading some third party code is what's extreme to me.