 Note on all the #xz drama, there are some technical solutions for such #supplychainattack that can make such an attack way harder, at least to hide the code in tarballs etc. https://slsa.dev/ e.g. is a solution. Combined with reproducible builds, it ensures that a software artifact is built exactly from the source given in a source repository, with the possibility to prove that and no way for any maintainer to tamper with (in the highest level). 6 comments
The way this works, is, essentially, quite easy: the whole build process is documented in the same repository, builds are automated via CI/CD and all that is, to reach best support, done in an environment that prevents tampering and (crucially) is *out of your control*. Then you get #SLSA v3: https://slsa.dev/get-started#slsa-3 (quite easy with GitHub Actions) @rugk I couldn't immediately tell, but is sigstore (https://www.sigstore.dev/) a part of that approach, or is it a different project doing something similar (but only a part of the what'd be required)? |
Gregory's Server
Furthermore produced software artifacts proofs are written into a database similar to #certificateTransparency.
We have recently implemented this in #PrivateBin and it works great: https://github.com/PrivateBin/PrivateBin/issues/1169
Of course practically, people (especially software consumers) needed to verify it, to be worth the work.
Obviously, it's no magic bullet. It just raises the burden for an attacker. Obviously, the source code repo could be made to contain bad code, but you cannot anymore tamper at built-time.
Furthermore produced software artifacts proofs are written into a database similar to #certificateTransparency.
We have recently implemented this in #PrivateBin and it works great: https://github.com/PrivateBin/PrivateBin/issues/1169
Of course practically, people (especially software consumers) needed to verify it, to be worth the work.