[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Do we want to talk about the value of Distribution Curating in the context of Open Source Supply Chain Issues


On Tue, Mar 29, 2022 at 03:27:54PM -0600, Sam Hartman wrote:
> The latest is
> https://www.zdnet.com/article/hundreds-more-malicious-packages-found-in-npm-factory/
> Unfortunately, I've seen this  turning into generally negative stories
> on open source supply chain reliability.
> I think that Debian tends to have a great response to such supply chain
> trust.  Namely we build a community, and typically multiple people are
> involved in getting software into Debian.
> As a consequence, we aren't able to package everything.  But I think we are
> much less likely to run into these sort of supply chain attacks.  Mind, not
> impossible.  But I think it would be good to talk about the advantages of
> Debian in this space.
> Any thoughts/interest?

Yes, I agree we have something valuable to contribute to this debate; and I
feel our point of view is underrepresented.  And uhm....  "patches welcome":
e.g. in the form of blog post, interviews, ...

My 0,02



Reply to: