Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Reviews in Vouch refer to a particular version of a software package. If a new release is issued by a malicious actor, the new release would require a new review.

But the review process does not need to re-start from scratch. Reviews from other versions can be used to lessen the workload.

On the subject of automatically updating packages: the Vouch dependency analysis can be included in CI. Un-reviewed or review failing dependency updates can be flagged for attention.



Who's reviewing the software package's dependencies?


Each dependency of a software package would have its own separate set of reviews.

Anyone can produce a review using Vouch. Official reviews will also be published in the future.


So every version of every dependency of every package needs a review? It only takes one version of one dependency of any software package to be compromised by supply chain.


Each developer may choose to minimize the software dependency attack surface to a different degree.

Perhaps they would trust a package published by Google without a review. But would require a review before using a package from an indie developer.

Incremental decreses in the attck surface are valuable.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: