Improve Supply Chain Security

freedomofpress / dangerzone

Take potentially dangerous PDFs, office documents, or images and convert them to safe PDFs

https://dangerzone.rocks/

GNU Affero General Public License v3.0

3.59k stars 170 forks source link

Improve Supply Chain Security #188

Open deeplow opened 2 years ago

deeplow commented 2 years ago

The issue started originally with just making build reproducible, but there are other supply chain attack vectors. For example, if some build tools introduce malicious code, then the build will be maliciously reproducible. So we need to think carefully about what other mitigations are there beyond reproducible builds.

References:

(YouTube) Reflections on Trust in the Software Supply Chain, Black Hat USA 2023

deeplow commented 1 year ago

Some issues related to docker image reproducibility are highlighted here: https://docs.dasharo.com/osf-trolling-list/build_process/#how-to-use-flashrom-to-backup-vendor-bios