1578

submitted 4 months ago by lemmyreader@lemmy.ml to c/linuxmemes@lemmy.world

115 comments fedilink hide all child comments

https://wetdry.world/@cyrus/112186279067271067

you are viewing a single comment's thread
view the rest of the comments

[-] RegalPotoo@lemmy.world 18 points 4 months ago* (last edited 4 months ago)

It's a really wicked problem to be sure. There is work underway in a bunch of places around different approaches to this; take a look at SBoM (software bill-of-materials) and reproducible builds. Doesn't totally address the trust issue (the malicious xz releases had good gpg signatures from a trusted contributor), but makes it easier to spot binary tampering.

[-] wizzim@infosec.pub 11 points 4 months ago* (last edited 4 months ago)

Shameless plug to the OSS Review Toolkit project (https://oss-review-toolkit.org/ort/) which analyze your package manager, build a dependency tree and generates a SBOM for you. It can also check for vulnerabilitiea with the help of VulnerableCode.

It is mainly aimed at OSS Compliance though.

(I am a contributor)

this post was submitted on 30 Mar 2024

1578 points (97.7% liked)

linuxmemes

20351 readers

1011 users here now

I use Arch btw

Sister communities:

LemmyMemes: Memes
LemmyShitpost: Anything and everything goes.
RISA: Star Trek memes and shitposts

Community rules

Follow the site-wide rules and code of conduct
Be civil
Post Linux-related content
No recent reposts

Please report posts and comments that break these rules!

founded 1 year ago

MODERATORS

poopsmith@lemmy.world

zephyr@lemmy.world