←back to thread

Open Source is one person

(opensourcesecurity.io)
433 points LawnGnome | 1 comments | 28 Aug 25 01:54 UTC | HN request time: 0s | source
Show context
kube-system ◴[28 Aug 25 12:41 UTC] No.45051453[source]
I feel like there's a lot of misunderstanding of this issue in the software community, because primarily, supply chain risk isn't a software or engineering issue. It's a governance issue.

Someone doesn't have to be a bad actor for a project to have supply chain risk. Nor do all who evaluate supply chain risk have the same security posture and evaluate risks the same as others might. The DoD likely has a very different set of risks they evaluate against for their security posture than you do.

Most supply chain risks are not an indictment of somebody's code or somebody's character. A lot of one person projects are risky just because they're only one person. Having a bus factor of one is a supply chain risk in and of itself.

And while most people don't prepare for war while choosing their packages, it's not unreasonable for a military to do so. During a war, the ability for people to govern themselves and their own projects often changes dramatically, even in democratic countries. It is entirely routine for countries to require cooperation by the force of law in war time, even the US can and has forced private companies to cooperate with war efforts. This is probably not in the security posture calculation for most of us. But it is for some.

replies(5): >>45053302 #>>45054049 #>>45055648 #>>45065422 #>>45102037 #
conartist6 ◴[28 Aug 25 15:18 UTC] No.45053302[source]
Huh? The DoD would not have used the package if they hadn't read every line, locked it down for updates, and were ready to patch it themselves if needed. Can you really imagine in a war they'd be like "damn, if only there were a second person we also don't trust at all to do this work for us cause otherwise we'd just be SOL"
replies(5): >>45053479 #>>45053936 #>>45054879 #>>45055589 #>>45057819 #
1. tracker1 ◴[28 Aug 25 22:35 UTC] No.45057819[source]
I think you're seriously overestimating the amount of work the DoD will use... It really depends on what you are working on and where it will be used. I've worked on govt adjacent, military and banking projects... The most locked down in terms of packages I can use have been banks. In one case, a lawyer had to review (mostly licensing) every package that got added in to the local npm mirror for allowed internal use.. and another review for every version bump. Then of course, the (one) guy retires and there's no reviews for a month (so much for the launch date).

I've also been in a sealed environment, where I literally had to hand copy jQuery from an internet connected computer on one side of the room to an internal dev computer on the other side of the room... no disks, usb drives, etc allowed. That was a few days of "fun."