Re: Do we want to talk about the value of Distribution Curating in the context of Open Source Supply Chain Issues

To: Sam Hartman <hartmans@debian.org>
Cc: debian-publicity@lists.debian.org
Subject: Re: Do we want to talk about the value of Distribution Curating in the context of Open Source Supply Chain Issues
From: Joost van Baal-Ilić <joostvb-debian-publicity@mdcc.cx>
Date: Thu, 31 Mar 2022 20:58:31 +0200
Message-id: <[🔎] 20220331185831.GN12452@beskar.mdcc.cx>
In-reply-to: <[🔎] tslwngco3dx.fsf@suchdamage.org>
References: <[🔎] tslwngco3dx.fsf@suchdamage.org>

Hi,

On Tue, Mar 29, 2022 at 03:27:54PM -0600, Sam Hartman wrote:
> 
> The latest is
> https://www.zdnet.com/article/hundreds-more-malicious-packages-found-in-npm-factory/
> 
> Unfortunately, I've seen this  turning into generally negative stories
> on open source supply chain reliability.
> 
> I think that Debian tends to have a great response to such supply chain
> trust.  Namely we build a community, and typically multiple people are
> involved in getting software into Debian.
> 
> As a consequence, we aren't able to package everything.  But I think we are
> much less likely to run into these sort of supply chain attacks.  Mind, not
> impossible.  But I think it would be good to talk about the advantages of
> Debian in this space.
> 
> Any thoughts/interest?

Yes, I agree we have something valuable to contribute to this debate; and I
feel our point of view is underrepresented.  And uhm....  "patches welcome":
e.g. in the form of blog post, interviews, ...

My 0,02

Bye,

Joost

Reply to:

References:
- Do we want to talk about the value of Distribution Curating in the context of Open Source Supply Chain Issues
  - From: Sam Hartman <hartmans@debian.org>

Prev by Date: Do we want to talk about the value of Distribution Curating in the context of Open Source Supply Chain Issues
Previous by thread: Do we want to talk about the value of Distribution Curating in the context of Open Source Supply Chain Issues
Index(es):
- Date
- Thread