[kwlug-disc] NPM supply chain worm
Chris Frey
cdfrey at foursquare.net
Thu Sep 18 18:27:08 EDT 2025
On Thu, Sep 18, 2025 at 09:49:45AM -0400, Jason Locklin via kwlug-disc wrote:
> So my question is, what is your decision tree for choosing sources
> to install software from? How trustworthy do you consider the various
> sources? Any no-go's?
When it comes to pip, it is possible to craft your requirements.txt
files so that they point to your own webserver, and contain and validate
each download with a sha256 sum.
This way, you only have to trust a package and a repository once.
After that, each deployment is guaranteed to be the same.
I have not reached that level of assurance with any other package
manager, but docker is possible in theory I think (use your own repo)
and Debian is in the trusted realm.
- Chris
More information about the kwlug-disc
mailing list