There's A LOT going on (analysis, discussion, vendor notices, etc...) related to the ongoing xz/liblzma compromise so I created a "link roundup" which centralizes and buckets a lot of the awesome links and threads I've seen flying around.
Note on all the #xz drama, there are some technical solutions for such #supplychainattack that can make such an attack way harder, at least to hide the code in tarballs etc.
https://slsa.dev/ e.g. is a solution. Combined with reproducible builds, it ensures that a software artifact is built exactly from the source given in a source repository, with the possibility to prove that and no way for any maintainer to tamper with (in the highest level).
Random #pldev and #packagemanager idea: In the build system, developers should explicitly grant permission for packages to execute risky tasks like accessing the filesystem or network. This includes all transitive dependencies. By doing so, any suspicious behavior introduced by updates to dependencies or their dependencies would be apparent.
I am certainly a noob in this area and are not certain whether this can be an effective strategy to mitigate #supplychainattack
😶 We've learned nothing from the SolarWinds hack
➥ cyrnel
"Given its high profile, I'm shocked to report that I feel very little has been learned from that attack.
To me, the hack was a wake-up call about how the way we install and run software is insecure by design and needs a rework, maybe using capabilities-based security. But all I hear about is a bunch of solutions that kinda miss the point. "