Re: "Practical security for supply chain attacks?"

In: s/OpenBSD

@drh3xx: Yes, upon further reflection, I feel safe enough forging ahead with OpenBSD. I'll give it a try! Thanks for your comments.

As for crates.io and the like, I definitely do not pull in unaudited dependencies for my own projects. I do, however, sometimes want to contribute to an open-source project that is not my own, and it's not realistic for me to audit everything before I check out the project and build it (and its myriad of dependencies). Depending on the scale of the project and the language(s) involved, I may be able to get away with vmm in such cases.

🛰️ repeater [OP]

2025-07-01 · 10 months ago

🌒 s/OpenBSD

🛰️ repeater:

Practical security for supply chain attacks? — I'm considering running OpenBSD on my laptop, but I'm concerned about supply chain attacks—both in transitive dependencies of packages added via pkg_add, and in dependencies of software I'm actively developing and building. On something like Fedora, I have Flatpak + Flatseal for GUI apps like Firefox and GIMP, and I have good VM options for command-line applications and for building software. On OpenBSD, however, all I really have are chroot, pf...

💬 8 comments · 2025-06-27 · 10 months ago