There are three major types of risk in software supply chain:
- Correctness. Does the source have flaws (or backdoors) that allow it to be exploited.
- Integrity. Was it tampered with from source to binary (typically to inject intentional flaws or backdoors)
- Availability. Is it available for use in a build.
This last one is often ignored. It's less sensational and "nothing ever goes away from the Internet, right? Right???"
There are all kinds of nasty examples of dependencies going away. The two big patterns are:
- Infrastructure availability. That's this case and yes, CDNs are a nasty point of failure. Wanna guess how many package managers depend on a single CDN?
- Intentional delisting. This has happened often enough over the past few years. When the package maintainer throws their toys out of the pram and either removes the package from public access or effectively zeros it out. This can happen to the source too (hello colors.js)
The ideal is to have your build process be hermetic, not just from when you kick off the build but over a longer period of time. At the very least have an artifact management solution that you control as a caching proxy.
I'd like to see the major cloud providers caching all the major package repos inside their networks.
I'd also like to see multiple CDNs for every major package ecosystem.
Would be good for them to implement some kind of P2P fallback. As in: if cloudflare is down, npm can go and query some kind of IPFS version. After all, many of these packages are most likely already hosted by thousands if not millions of other clients.
They would just need to run their own IPFS client, so every NPM module is at least pinned by NPM. And then users who do an npm install could have the option to be a part of the P2P pool, which would essentially just spin a light IPFS client on their side to pin the modules downloaded.
The hash table associating each npm module => IPFS link could then be duplicated on other hosts (AWS, Google) and consulted as fallback if Cloudflare is down.
Or even, this strategy could be used to reduce bandwidth costs even in day-to-day operations.
There are three major types of risk in software supply chain:
This last one is often ignored. It's less sensational and "nothing ever goes away from the Internet, right? Right???"There are all kinds of nasty examples of dependencies going away. The two big patterns are:
The ideal is to have your build process be hermetic, not just from when you kick off the build but over a longer period of time. At the very least have an artifact management solution that you control as a caching proxy.I'd like to see the major cloud providers caching all the major package repos inside their networks.
I'd also like to see multiple CDNs for every major package ecosystem.
I highly recommend reading https://slsa.dev