• TechNom (nobody)
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Also, do you know anybody who has solved it in opensource?

    I forgot to mention that this is a problem on every major language registry - especially PyPI and NPM.

    How would you enforce the solution on some dude writing code in his basement to “just make it work” on his 1 day off from an otherwise busy life?

    There are two things to consider. The first is that all major open source languages are run by foundations with big players and a lot of funding and donations. It’s probably a good idea to invest in a paid team dedicated to security. I’m sure everyone’s thought about it already but hasn’t done enough so far.

    The second fact is that professionals - especially security companies - do occasionally report them. Like this story, for instance. So they are doing something right and it’s possible. It’s a good idea to fund them and increase their scope (hopefully, they won’t introduce any malware just to claim the prize).

    • KillTheMule
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      I’m sure everyone’s thought about it already but hasn’t done enough so far.

      Note though that the rust foundation has established a security initiative (see e.g. here), which does include the supply chain via crates.io.