top | item 43692108

(no title)

cyrnel | 10 months ago

On its own, immutability isn't a complete solution to supply chain attacks. Software still needs to be updated and those updates could contain malware too.

You need immutability and something like sandboxing where actions cannot e.g. dump the memory of the runner process to steal secrets.

The alternative is vetting every single line of code in every dependency and every subdependency perfectly for every update, which is not realistic.

discuss

No comments yet.