[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Do we want to talk about the value of Distribution Curating in the context of Open Source Supply Chain Issues

Hi Sam and Joost

El 31/3/22 a las 20:58, Joost van Baal-Ilić escribió:
> Hi,
> On Tue, Mar 29, 2022 at 03:27:54PM -0600, Sam Hartman wrote:
>> The latest is
>> https://www.zdnet.com/article/hundreds-more-malicious-packages-found-in-npm-factory/
>> Unfortunately, I've seen this  turning into generally negative stories
>> on open source supply chain reliability.
>> I think that Debian tends to have a great response to such supply chain
>> trust.  Namely we build a community, and typically multiple people are
>> involved in getting software into Debian.
>> As a consequence, we aren't able to package everything.  But I think we are
>> much less likely to run into these sort of supply chain attacks.  Mind, not
>> impossible.  But I think it would be good to talk about the advantages of
>> Debian in this space.
>> Any thoughts/interest?
> Yes, I agree we have something valuable to contribute to this debate; and I
> feel our point of view is underrepresented.  And uhm....  "patches welcome":
> e.g. in the form of blog post, interviews, ...
> My 0,02
> Bye,
> Joost
I agree, it's one of Debian's strengths and it would be very nice to publish an
article about it.

I don't feel confident to write it myself alone, though.

I have write some ideas in our pad in storm.debian.net ( https://deb.li/publipad
) that I am attaching to this message too, as a markdown text. I have taken some
sentences from www.debian.org/intro/why_debian

I didn't commit this draft to the bits repo yet, for several reasons:
* I don't like the title :-)
* I think Sam has more or different ideas in mind that could result in a heavy
rewrite (which is welcome!)
* I think that we need to be careful when writing and publishing this in a date
and way that nobody feels attacked (whether other software communities, or
individual maintainers, or Debian teams with bus factor very low, or whatever).
So maybe we can commit the draft when it's more "mature". My goal would be to
show the advantages of Debian to the wider audience in this aspect, and also to
encourage Debian contributors and developers to help improve.

Kind regards,
Laura Arjona Reina
Title: The value of distribution curating
Slug: value-distribution-curating
Date: 2022-04-15 10:00
Author: Name Surname(s)
Tags: tag1, tag2
Status: draft

In recent times we have seen news turning into generally negative stories
on open source supply chain reliability: 
malicious packages found in language package repositories,
copycat packages that could trick developers into falling for 'newer' version, 
dependency confusion issues...[FIXME_COMPLETE_OR_REWRITE]

One of the reasons is that almost anyone can publish packages to certain open-source ecosystems,
other reasons can be lack of curatio, [FIXME_COMPLETE]

Debian does its best to have a great response to supply chain trust.
We provide a reasonable default configuration for every package as well as regular security updates during the packages' lifetimes. 
We have a [policy](https://www.debian.org/doc/debian-policy/) which defines technical requirements for every package included in the distribution. 
Our Continuous Integration strategy involves Autopkgtest (runs tests on packages), Piuparts (tests installation, upgrade and removal), and Lintian (checks packages for inconsistencies and errors). 
But most important, we build a community, where multiple people are involved in getting software into Debian, and are committed to our Social Contract, setting collective goals like our priorities (our users and free software), give back to the free software community (e.g. sending improvements to the upstream projects and coordinating security fixes).

As a consequence of this high 'human touch' (and thus non automated) way to produce software, we aren't able to package everything. [FIXME_COMPLETE - mention other disadvantages]

[PARAGRAPH_ABOUT_HOW_TO_HELP] join teams, step ahead to get more involved to enlarge the teams of core contributors, help maintaining the infrastructure or automating stuff so people can spend more time on curating software...

Reply to: