Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Supply Chain Security #1

Open
max-au opened this issue Aug 15, 2019 · 3 comments
Open

Supply Chain Security #1

max-au opened this issue Aug 15, 2019 · 3 comments

Comments

@max-au
Copy link
Member

max-au commented Aug 15, 2019

Ensure supply chain security for code/package repositories (e.g. hex.pm)

@voltone
Copy link
Collaborator

voltone commented Dec 16, 2021

Let's collect some thoughts here, we can discuss in the next meeting how we want to turn this into actionable tasks/projects/documents. I would suggest we try to answer the following questions:

  • What kind of supply chain security issues are we trying to protect against?
  • What tools/mechanisms/processes exist today, and what protections do they provide?
  • Which of the identified risks are currently not (sufficiently) addressed?
  • What tools/mechanisms/processes can be proposed to improve the situation?

@voltone
Copy link
Collaborator

voltone commented Dec 30, 2021

What kind of supply chain security issues are we trying to protect against?

Some possibilities:

  • Typosquatting
  • Dependency confusion (public package with a name matching somebody's private package)
  • Bait-and-switch (a useful package transforms to malware after gaining adoption)
  • New maintainer of popular package proves to be bad actor
  • Malware in a PR, missed by maintainers/reviewers
  • Unauthorized package updates (e.g. after maintainer email account take-over)
  • Malicious package repository mirror
  • Man-in-the-Middle attack on connection to package repository
  • Primary package repository compromised

@DianaOlympos
Copy link
Contributor

Following the Biden Admin EO, we can expect a lot of talks about SBOM.

Worth pointing out for people to have a look at are
GITBOM
Analysis of the supply chain landscape by the OSFF

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants