https://drewdevault.com/2022/05/12/Supply-chain-when-will-we-learn.html
This article makes a good case for why Linux Distro packages add significant security value over language package managers like Npm, Cargo, etc. These are tradeoffs – language package managers provide value in that they allow people to move much faster. It is interesting that I can’t find any malicious Go packages. Perhaps publishing the entire source URL as the package name helps as this is harder to take over? However, a Github account could still be compromised – especially for an abandoned package. At any rate, I like the way Go does packages as there is a more direct link between the package name and the source code. Sylvain Kerkour thinks so too:
Packages management
I don’t like centralized package repositories. They add complexity and obfuscation, all while supply chain attacks are increasing.
It is possible to import packages from Git in Rust, but as it’s not the “official” way, the packages you import from Git will surely import packages from crates.io themselves
So please, follow the Go model: centralized discovery but decentralized distribution. It’s not perfect, but it certainly reduces the chances of a successful supply chain attack.
Another article:
https://kerkour.com/supply-chain-attacks-and-backdoored-dependencies
Are supply chain attacks and backdoor unstoppable?
I don’t think so, but I think that the current model of centralized package managers needs to end. Centralized package repositories add layers of obfuscation and complexity, which is only good for attackers.
I think that a better model for package management is decentralized distribution with centralizedd search.
This is why I think that today, Go has the best approach to supply chain security: Git-based dependency distribution, which enables easier auditing, a centralized database of modules’ content so that everybody get the same code for a given
module@version
, and no build-time scripts.While we will never be able to stop the compromise of 3rd party libraries, we can do our best to ease the detection.