• RegalPotoo@lemmy.world
    link
    fedilink
    English
    arrow-up
    19
    ·
    edit-2
    7 months ago

    It’s a really wicked problem to be sure. There is work underway in a bunch of places around different approaches to this; take a look at SBoM (software bill-of-materials) and reproducible builds. Doesn’t totally address the trust issue (the malicious xz releases had good gpg signatures from a trusted contributor), but makes it easier to spot binary tampering.

    • wizzim@infosec.pub
      link
      fedilink
      arrow-up
      12
      ·
      edit-2
      7 months ago

      +1

      Shameless plug to the OSS Review Toolkit project (https://oss-review-toolkit.org/ort/) which analyze your package manager, build a dependency tree and generates a SBOM for you. It can also check for vulnerabilitiea with the help of VulnerableCode.

      It is mainly aimed at OSS Compliance though.

      (I am a contributor)