We've all been hearing a lot about software supply chain security, but what does it mean to make open source more secure? Will a software bill of materials, package signatures, and more complex build systems prevent the next LOG4SHELL, HEARTBLEED, or PANTSDOWN?
Not exactly, though such tools will help us respond faster and prevent some types of attacks. While ensuring that *these* bytes get from *here* to *there*, without being tampered with along the way, is important—it's only part of the puzzle. To secure the long tail of open source, all those projects that aren't in the limelight but *are* in critical systems, we must understand that our projects are more than mere code. They are a relationship built upon trust.
And in an open source community this large and globally interconnected, we need to understand how we trust people that we may never meet.
We've all been hearing a lot about software supply chain security, but what does it mean to make open source more secure? Will a software bill of materials, package signatures, and more complex build...