Do we want to talk about the value of Distribution Curating in the context of Open Source Supply Chain Issues

To: debian-publicity@lists.debian.org
Subject: Do we want to talk about the value of Distribution Curating in the context of Open Source Supply Chain Issues
From: Sam Hartman <hartmans@debian.org>
Date: Tue, 29 Mar 2022 15:27:54 -0600
Message-id: <[🔎] tslwngco3dx.fsf@suchdamage.org>

The latest is
https://www.zdnet.com/article/hundreds-more-malicious-packages-found-in-npm-factory/


Unfortunately, I've seen this  turning into generally negative stories
on open source supply chain reliability.

I think that Debian tends to have a great response to such supply chain
trust.  Namely we build a community, and typically multiple people are
involved in getting software into Debian.

As a consequence, we aren't able to package everything.
But I think we are much less likely to run into these sort of supply
chain attacks.
Mind, not impossible.
But I think it would be good to talk about the advantages of Debian in
this space.

Any thoughts/interest?

--Sam

Reply to:

Follow-Ups:
- Re: Do we want to talk about the value of Distribution Curating in the context of Open Source Supply Chain Issues
  - From: Joost van Baal-Ilić <joostvb-debian-publicity@mdcc.cx>

Prev by Date: Re: Draft announcements for 10.12 and 11.3
Next by Date: Re: Do we want to talk about the value of Distribution Curating in the context of Open Source Supply Chain Issues
Previous by thread: Re: Draft announcements for 10.12 and 11.3
Next by thread: Re: Do we want to talk about the value of Distribution Curating in the context of Open Source Supply Chain Issues
Index(es):
- Date
- Thread