How Much Do You Trust That Package? Understanding The Software Supply Chain
C2 | Mon 21 Jan | 1:55 p.m.–2:15 p.m.
Did you hear the one where someone gave the maintainership of an npm module to some rando who stuck a cryptocurrency miner in it? Hilarious, right! Well did you also hear the one where someone uploaded malicious packages to PyPI with similar names to popular packages? Supply chain security is a huge issue in modern software development, and not just for node.js developers. The prevalence of third-party modules, the lack of maintainer time and compensation, and the speed at which we try to develop means that there are many ways that the software supply chain can cause you headaches. This talk will discuss the history of the software supply chain, the issues that have cropped up in it and why, and discuss some ways to deal with the risks these create.