In this post https://drewdevault.com/2022/05/12/Supply-chain-when-will-we..., Drew DeVault talked about supply chain attacks against language package managers (npm, PyPI, cargo, etc…) - and compares them to official Linux distribution repositories (deb, rpm, etc…).
I wanted to try and figure out if this solution - use official Linux distribution packages instead of language ones - would work in practice, what that might look like, and how that might scale.
I thought that the answer would be no, because it wouldn't scale - but, surprisingly, I think it might?
I wanted to try and figure out if this solution - use official Linux distribution packages instead of language ones - would work in practice, what that might look like, and how that might scale.
I thought that the answer would be no, because it wouldn't scale - but, surprisingly, I think it might?
My thoughts & research are written up here: https://duncanlock.net/blog/2022/05/29/supply-chain-attacks-...