●● IRC: #techbytes @ Techrights IRC Network: Tuesday, January 18, 2022 ●● ● Jan 18 [00:49] *u-amarsh04 has quit (Quit: Konversation terminated!) [00:56] *u-amarsh04 (~amarsh04@t3phqsdfxhjau.irc) has joined #techbytes ● Jan 18 [01:14] *u-amarsh04 has quit (Quit: Konversation terminated!) [01:24] *u-amarsh04 (~amarsh04@t3phqsdfxhjau.irc) has joined #techbytes [01:46] *u-amarsh04 has quit (Quit: Konversation terminated!) ● Jan 18 [02:19] *DaemonFC (~daemonfc@r3zgarhjgt6ha.irc) has joined #techbytes [02:50] *liberty_box has quit (Ping timeout: 2m30s) [02:50] *rianne_ has quit (Ping timeout: 2m30s) [02:51] *rianne has quit (Ping timeout: 120 seconds) ● Jan 18 [03:03] libertybox yes, checking [03:08] *SomeH4x0r has quit (Ping timeout: 2m30s) [03:11] *liberty_box (~liberty@suig26pxj59pi.irc) has joined #techbytes [03:11] *rianne_ (~rianne@suig26pxj59pi.irc) has joined #techbytes [03:11] *rianne (~rianne@joseon-jhg.17c.k31cok.IP) has joined #techbytes [03:18] *SomeH4x0r (~someh4xx@vbku88433t7ju.irc) has joined #techbytes ● Jan 18 [04:10] *Despatche has quit (Quit: Read error: Connection reset by deer) [04:10] *Despatche (~desp@u3xy9z2ifjzci.irc) has joined #techbytes ● Jan 18 [06:41] *GNUmoon2 has quit (Ping timeout: 2m30s) [06:41] *DaemonFC has quit (Quit: Leaving) ● Jan 18 [07:28] *GNUmoon2 (~GNUmoon@bsgdwgkyty4d4.irc) has joined #techbytes ● Jan 18 [08:35] *psydroid4 (~psydroid@cqggrmwgu7gji.irc) has joined #techbytes ● Jan 18 [09:07] schestowitz
[09:07] schestowitzThe well-known log4j security vulnerability of December 2021 triggered a lot of renewed discussions around software supply chain security, and sometimes it has also been said to be an Open Source related issue.
[09:07] -TechBytesBot/#techbytes-daniel.haxx.se | Enforcing the pyramid of Open Source | daniel.haxx.se [09:07] schestowitzThis was not the first software component to have a serious security flaw, and it will not be the last.
[09:07] schestowitzThis is the 10,000 dollar question that is really hard to answer. In this post I hope to help putting some light on to why it is such a hard problem. This comes from my view as an Open Source author and contributor since almost three decades now.
[09:07] schestowitzIn this post Im going to talk about security as in how we make our products have less bugs in the code we write and land on purpose. There is also a lot to be said about infrastructure problems such as consumers not verifying dependencies so that when malicious actors purposely destroy a component, users of that dont notice the problem or supply chain security issues that risk letting bad actors insert malicious code [09:07] schestowitz into components. But those are not covered in this blog post!