Does any of that matter if you’re not auditing the packages you install?
I’m more concerned about sources being poisoned over the build processes. Xz is a great example of this.
Does any of that matter if you’re not auditing the packages you install?
I’m more concerned about sources being poisoned over the build processes. Xz is a great example of this.
I think you get more bang for your buck focusing on build security than on audited sources. If the build is solid then it forces attackers to work in the open where all auditors can work together towards spoiling their efforts.
But if you flip it around and have magically audited source but a shaky build, then perhaps a diligent users can protect themselves, but the attacker can just keep trying until they compromise somebody who is less diligent. Sure, scanners exist, but if you have access to the scanner you can likely re-hide the payload without much additional effort. You could even hide it differently for each user you attack.