Indeed, skipping the centralized package manager might be better in the long run.
There's really something nasty at play. Those coding agents are clearly not insulated from the system enough and to easy to manipulate to exfiltrate sensitive information.
This is a good point. I feel unease at the current trend pushing toward cooldowns. The proposed rollout scheme is much better and fairer.
C++ too can have its own supply chain disasters with enough effort!
Can crates.io make things easier to secure? I do think so. But this post is right that we shouldn't forget the social aspect of the whole supply chain security conversation.
Indeed, the current supply chain model of Rust could be better. While we wait for improvements (with no sign of them coming), there are ways to try to avoid some of the common pitfalls.
Lots of interesting measures to reduce the risk of supply chain issues. Definitely to be considered on your projects.
We're not helped much by our tools here... Clearly provenance needs to be double checked.
New packaging ecosystems bring their new attack vectors. This is definitely a teething problem which will need to be addressed soon.
There are growing concerns regarding the Rust supply chain. It's still time to address them but it's became important to tackle this area.
Indeed, we might want to use dev containers more widely in the profession. If you're developing something for the desktop you're out of luck though.
Indeed, if you benefit from Free Software you'd better engage with it. Maintainers should stop bending backwards to please free loaders.
This is indeed the best way to handle your open source dependencies. I got concerns about the ability to sell that to management though because of the extra steps. It's also probably why you want to have an OSPO in your company, it's a good way to lower the barrier for developers to contribute this way.
Interesting analysis of the crates ecosystem. It shows quite well some of the challenges and weaknesses. Nothing to worry about yet about the ecosystem health overall. Still, you should probably be careful when picking dependencies.
Nice overview of where we stand regarding supply chain security. Code reuse has never been so widespread and we still have fundamental issues leading to security problems.
This latest development in the Ruby community is rather concerning.
Unsurprisingly ends up with an advertisement for their own security tool. That said the vector used for the attack is interesting, with more npm like ecosystems available nowadays, should we expect to see more such attacks?
Nice automation for such updates. I'm discovering endoflife.date this looks very handy.
A good explanation of why you likely don't want a centralised package manager for your ecosystem.
Good idea to standardise this for vendors just like we do using CVEs for software components. This would definitely improve dealing with breaches.