undefined | Better HN

0 pointstasn9mo ago0 comments

How is that different to any other library? Supply chain risk is a big problem.

0 comments

Supply chain risk gets all the headlines, but personally i think its a bit overhyped.

That said, things like SRI don't really fully fix the supply chain issue. Supply chain issues usually mean the developer intentionally upgrades to a new version, that unbeknownst to them is malicious. It is usually not about a resource getting replaced with nobody realizing it, everyone realizes the upgrade is happening. In such a situation it is likely SRI hashes would get upgraded too.

Solutions like hashes or digital signatures are useless if the person being tricked is the one responsible for signing things.

j / k navigate · click thread line to collapse

0 comments

bawolff9mo ago

Supply chain risk gets all the headlines, but personally i think its a bit overhyped.

Solutions like hashes or digital signatures are useless if the person being tricked is the one responsible for signing things.

j / k navigate · click thread line to collapse