top | item 38077801

(no title)

michaelw | 2 years ago

Host your own dependencies folks!

There are three major types of risk in software supply chain:

  - Correctness. Does the source have flaws (or backdoors) that allow it to be exploited.
  - Integrity. Was it tampered with from source to binary (typically to inject intentional flaws or backdoors)
  - Availability. Is it available for use in a build.

This last one is often ignored. It's less sensational and "nothing ever goes away from the Internet, right? Right???"

There are all kinds of nasty examples of dependencies going away. The two big patterns are:

  - Infrastructure availability. That's this case and yes, CDNs are a nasty point of failure. Wanna guess how many package managers depend on a single CDN?
  - Intentional delisting. This has happened often enough over the past few years. When the package maintainer throws their toys out of the pram and either removes the package from public access or effectively zeros it out. This can happen to the source too (hello colors.js)

The ideal is to have your build process be hermetic, not just from when you kick off the build but over a longer period of time. At the very least have an artifact management solution that you control as a caching proxy.

I'd like to see the major cloud providers caching all the major package repos inside their networks.

I'd also like to see multiple CDNs for every major package ecosystem.

I highly recommend reading https://slsa.dev

discuss

No comments yet.