Open Source is one person

(opensourcesecurity.io)

433 points LawnGnome | 1 comments | 28 Aug 25 01:54 UTC | HN request time: 0.205s | source

Show context

kube-system ◴[28 Aug 25 12:41 UTC] No.45051453[source]▶

I feel like there's a lot of misunderstanding of this issue in the software community, because primarily, supply chain risk isn't a software or engineering issue. It's a governance issue.

Someone doesn't have to be a bad actor for a project to have supply chain risk. Nor do all who evaluate supply chain risk have the same security posture and evaluate risks the same as others might. The DoD likely has a very different set of risks they evaluate against for their security posture than you do.

Most supply chain risks are not an indictment of somebody's code or somebody's character. A lot of one person projects are risky just because they're only one person. Having a bus factor of one is a supply chain risk in and of itself.

And while most people don't prepare for war while choosing their packages, it's not unreasonable for a military to do so. During a war, the ability for people to govern themselves and their own projects often changes dramatically, even in democratic countries. It is entirely routine for countries to require cooperation by the force of law in war time, even the US can and has forced private companies to cooperate with war efforts. This is probably not in the security posture calculation for most of us. But it is for some.

replies(5): >>45053302 #>>45054049 #>>45055648 #>>45065422 #>>45102037 #

conartist6 ◴[28 Aug 25 15:18 UTC] No.45053302[source]▶

>>45051453 #

Huh? The DoD would not have used the package if they hadn't read every line, locked it down for updates, and were ready to patch it themselves if needed. Can you really imagine in a war they'd be like "damn, if only there were a second person we also don't trust at all to do this work for us cause otherwise we'd just be SOL"

replies(5): >>45053479 #>>45053936 #>>45054879 #>>45055589 #>>45057819 #

moron4hire ◴[28 Aug 25 15:31 UTC] No.45053479[source]▶

>>45053302 #

I don't know where you're working, maybe you work in some secret lab where everything is air-gapped and not even the pigeons are allowed within a mile of the facility. In which case, what the hell are you doing commenting on a public message board?

That is absolutely not how DoD works. The vast majority of code is contracted out. Nobody from DoD side is reading any of the code. It's all a series of affidavits and audits for configuration management process. Vendors assert everything's cool. Failed audits lead to fines or revocation of access. And the audits check up on documentation and config. They don't dig into code.

At no point in time is anyone, anywhere, in this process reading every single line of code. Not even A single line of code. I doubt they even read the Software Bill of Materials we're supposed to generate, because I've never heard any feedback on any of it.

replies(1): >>45053514 #

conartist6 ◴[28 Aug 25 15:34 UTC] No.45053514[source]▶

>>45053479 #

Doesn't change the fact that they can just fork it if it ever matters though...

replies(3): >>45053634 #>>45054340 #>>45056675 #

1. nradov ◴[28 Aug 25 20:27 UTC] No.45056675[source]▶

>>45053514 #

Just forking the code doesn't get you very far. Few of those products have what we would call reproducible builds so good luck trying to create a working release image if you don't have access to the contractor's infrastructure and tooling.

↑