Comment by gizmo686

Comment by gizmo686 4 days ago

0 replies

View on Hacker News

That can only go so far. Assuming there is no container/VM escape, most software is built to get used. You can protect yourself from malicious dependencies in the build step. But at some point, you are going to do a production build, that needs to run on a production system, with access to production data. If you do not trust your supply chain; you need to fix that.

If you excuse me, I have a list of 1000 artifacts I need to audit before importing into our dependency store.