Supply Chain Security

Tags: vendoring; dependencies.

• Supply Chain Security video by Jonhoo.
  • He might also have a post on it.
• Armin Ronacher
  • Build it yourself
  • On Tech Debt: My Rust Library is now a CDO
  • Dependency Risk and Funding
    • Micropackages and Open Source Trust Scaling
      • Learned about npm shrinkwrap docs
      • Why Package Signing is not the Holy Grail
    • Few other articles linked here.
• https://github.com/actions/attest-build-provenance - found in the GitHub Repo’s Actions Management tab.
  • https://slsa.dev/spec/v1.0/provenance
    • How to SLSA - https://slsa.dev/how-to/
  • https://github.com/sigstore/cosign → https://www.sigstore.dev/
• https://edu.chainguard.dev/chainguard/chainguard-images/overview/