Tied up, shackled and then some: In contrast what you may be thinking after this intro, in this episode Martin and Chris take a closer look at an obscure concept known not only in esoteric circles as the software supply chain (chain being the keyword here). Once only appreciated by the inner circle of a small group of level-eight magicians, this concepts has now entered mainstream and is considered instrumental not only in the area creating and maintaining large scale codebases possibly clocking up a few million lines of code. This especially becomes important when a codebase largely relies on FLOSS components commonly downloaded from the internet. Relying on these components may cause a security issue if not handled with caution as not only the recent xz-utils incident (where possibly a nation-state actor) managed to infiltrate a popular compression library virtually used everywhere. So if you're interested in the security of your builds and applications, this is another episode you don't want to miss.

Links

• Left-pad incident: https://en.wikipedia.org/wiki/Npm_left-pad_incident
• Lucene library: https://lucene.apache.org/core
• Open source licenses episode (S01E36): https://archive.org/details/hpr3399
• SBOMs: https://about.gitlab.com/blog/the-ultimate-guide-to-sboms
• XZ Utils backdoor: https://en.wikipedia.org/wiki/XZ_Utils_backdoor
• OpenSSF's tools (not just SBOMs): https://openssf.org/projects
• Autotools: https://www.gnu.org/software/automake/manual/html_node/Autotools-Introduction.html
• SPDX: https://spdx.dev
• CycloneDX: https://cyclonedx.org
• valkey-search: https://github.com/valkey-io/valkey-
• Thunderbolts: https://www.marvel.com/movies/thunderbolts