Richard Bucker

Trust Supply Chain

Posted at — Jan 10, 2022

Yet another post… npm with subverted code. Then google thought I cared about yet another distro release. Then I started to think about why doesn’t OpenBSD try harder to get it working on a modern laptop rather than Lenovo maintain it’s market price.

Trust is so easy to dilute. Think cryptocurrencies, aliens, politics … now I understand why there is authoritarianism when trust is low and the people are weak.

“OpenSource” is a pretty good idea and yet the GPL is not. The GPL serves to insure that vendors who incorporate GPL licensed components in their products opensource their own projects. But now I find myself asking a different kind of question. Just because it’s opensource and maybe it’s code complete how does one audit the code and the binary, especially when it’s embedded.

My wishes for 2022: