logoalt Hacker News

endretoday at 10:34 AM2 repliesview on HN

that's cruise control for supply chain attacks, at the bare minimum


Replies

nicomttoday at 11:01 AM

I think if you set cooldowns and stick to more reputable sources, it might be okay. I do pin my versions and do manual updates in my home lab, but that's more for stability and so it increases the chances I'll catch update issues while I'm already there. I don't pretend that gives me any extra security, though, because I don't have the time to review updates beyond surface-level changelogs. I don't think the solution to supply chain issues is for every developer to be paranoid at all times. I think we need better systems built on top of existing package managers to check provenance and integrity, and to allow security researchers and automated tools to vet releases before they're distributed more broadly.

KaiserProtoday at 10:41 AM

I mean is it really, more than any other update technique?