undefined | Better HN

0 pointsGuvante2y ago0 comments

There are attacks that embed hacks into built compilers so unless you are looking to write your software from scratch you need to trust people.

And by scratch I mean "without modern hardware" given supply chain attacks also apply to the hardware you build from.

0 comments

josephg2y ago

Of course we need to trust people to some degree. There's an old Jewish saying - put your trust in god, but your money in the bank. I think its like that. I'm all for trusting people - but I still like how my web browser sandboxes every website I visit. That is a good idea.

We (obviously) put too much trust in little libraries like xz. I don't see a world in which people start using fewer dependencies in their projects. So given that, I think anything which makes 3rd party dependencies safer than they are now is a good thing. Hence the proposal.

The downside is it adds more complexity. Is that complexity worth it? Hard to say. Thats still worth talking about.

ui2RjUen875bfFA2y ago

i guess the big opensource community should put a little bit more trust in statistics or integrate statistic evaluation in their decission making to use specific products in their supply chains.

there are some researches on the right track already https://www.se.cs.uni-saarland.de/projects/congruence/

j / k navigate · click thread line to collapse