Fedora and supply-chain attacks

>The general attack point for supply chains is the source code and not the binaries as the problem is my taking over someone's github, or getting upload rights to pypy/cpan/npm/etc.

Citation needed. Most prominent attacks, even the one mentioned in this article, are attacks at the distribution site, not source code repositories. Solarwinds would have been countered by reproducible builds. Same with Linux Mint getting their ISOs compromised a few years ago.

Pypy, cpan and npm are also independent of the forge. If you can reproduce the expected tarball then any attacks towards these can be detected. This means most of the "subversive tarball" compromises you have seen from NPM would be addressed by reproducible builds.

But lets ignore that and just address the argument :)

Transparency Logs and Reproducible Builds compliment each other. Each of these things separately deals with different aspects of the supply-chain. But you are also moving the goal post, which is easy to do. Let me help you!

Even if you *do* secure the source-code repositories, how do you protect against a subversive compilers? Trusting trust attacks are not covered by neither reproducible builds, transparency logs or a secure source-code repository. They sit one level below.

Does this mean we should ignore all the other challenges and focus on this one problem? Not at all! We should address each of these issues as any one of these improvements do give you a more secure ecosystem, even if just a tiny bit.

(And before someone starts mentioning subversive compilers I do recommend reading up on what the community has been capable of achieving with the GNU Mes C compiler, https://dwheeler.com/trusting-trust/#real-world. We are close to actually being able to address large parts of the chain.)