Supply Chain Security

[max-au]

Ensure supply chain security for code/package repositories (e.g. hex.pm)

[voltone]

Let's collect some thoughts here, we can discuss in the next meeting how we want to turn this into actionable tasks/projects/documents. I would suggest we try to answer the following questions:

• What kind of supply chain security issues are we trying to protect against?
• What tools/mechanisms/processes exist today, and what protections do they provide?
• Which of the identified risks are currently not (sufficiently) addressed?
• What tools/mechanisms/processes can be proposed to improve the situation?

[voltone]

What kind of supply chain security issues are we trying to protect against?

Some possibilities:

• Typosquatting
• Dependency confusion (public package with a name matching somebody's private package)
• Bait-and-switch (a useful package transforms to malware after gaining adoption)
• New maintainer of popular package proves to be bad actor
• Malware in a PR, missed by maintainers/reviewers
• Unauthorized package updates (e.g. after maintainer email account take-over)
• Malicious package repository mirror
• Man-in-the-Middle attack on connection to package repository
• Primary package repository compromised

[DianaOlympos]

Following the Biden Admin EO, we can expect a lot of talks about SBOM.

Worth pointing out for people to have a look at are GITBOM Analysis of the supply chain landscape by the OSFF