Also, do you know anybody who has solved it in opensource?
I forgot to mention that this is a problem on every major language registry - especially PyPI and NPM.
How would you enforce the solution on some dude writing code in his basement to “just make it work” on his 1 day off from an otherwise busy life?
There are two things to consider. The first is that all major open source languages are run by foundations with big players and a lot of funding and donations. It’s probably a good idea to invest in a paid team dedicated to security. I’m sure everyone’s thought about it already but hasn’t done enough so far.
The second fact is that professionals - especially security companies - do occasionally report them. Like this story, for instance. So they are doing something right and it’s possible. It’s a good idea to fund them and increase their scope (hopefully, they won’t introduce any malware just to claim the prize).
I forgot to mention that this is a problem on every major language registry - especially PyPI and NPM.
There are two things to consider. The first is that all major open source languages are run by foundations with big players and a lot of funding and donations. It’s probably a good idea to invest in a paid team dedicated to security. I’m sure everyone’s thought about it already but hasn’t done enough so far.
The second fact is that professionals - especially security companies - do occasionally report them. Like this story, for instance. So they are doing something right and it’s possible. It’s a good idea to fund them and increase their scope (hopefully, they won’t introduce any malware just to claim the prize).
Note though that the rust foundation has established a security initiative (see e.g. here), which does include the supply chain via crates.io.
Thanks! I missed that one. They are awesome!