Comment by kjok
I believe that FOSS maintainers can gain financial independence and sustain their projects by "selling" hardened FOSS projects (think supply-chain security assurance) to consumers. I'm working on enabling this. DM me if interested.
I believe that FOSS maintainers can gain financial independence and sustain their projects by "selling" hardened FOSS projects (think supply-chain security assurance) to consumers. I'm working on enabling this. DM me if interested.
For supply-chain security, you need basically two things; 1) audit all the source code 2) build the source code (almost) without using any binaries.
The CREV folks are working on distributed code review, and the Bootstrappable Builds folks are working on building an entire Linux distro without any existing binaries, starting from an MBR worth of commented machine code.
https://github.com/crev-dev/ https://bootstrappable.org/ https://lwn.net/Articles/983340/
Sounds promising. How do you propose we create "hardened" projects?