1 comment

[ 5.1 ms ] story [ 7.1 ms ] thread
In this post https://drewdevault.com/2022/05/12/Supply-chain-when-will-we..., Drew DeVault talked about supply chain attacks against language package managers (npm, PyPI, cargo, etc…) - and compares them to official Linux distribution repositories (deb, rpm, etc…).

I wanted to try and figure out if this solution - use official Linux distribution packages instead of language ones - would work in practice, what that might look like, and how that might scale.

I thought that the answer would be no, because it wouldn't scale - but, surprisingly, I think it might?

My thoughts & research are written up here: https://duncanlock.net/blog/2022/05/29/supply-chain-attacks-...