Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

There are attacks that embed hacks into built compilers so unless you are looking to write your software from scratch you need to trust people.

And by scratch I mean "without modern hardware" given supply chain attacks also apply to the hardware you build from.



Of course we need to trust people to some degree. There's an old Jewish saying - put your trust in god, but your money in the bank. I think its like that. I'm all for trusting people - but I still like how my web browser sandboxes every website I visit. That is a good idea.

We (obviously) put too much trust in little libraries like xz. I don't see a world in which people start using fewer dependencies in their projects. So given that, I think anything which makes 3rd party dependencies safer than they are now is a good thing. Hence the proposal.

The downside is it adds more complexity. Is that complexity worth it? Hard to say. Thats still worth talking about.


i guess the big opensource community should put a little bit more trust in statistics or integrate statistic evaluation in their decission making to use specific products in their supply chains.

there are some researches on the right track already https://www.se.cs.uni-saarland.de/projects/congruence/




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: