Add supply chain attacks to "Common Threats" page

It would be great if you guys could add info about supply chain attacks at, there are some info about it here but specific to AUR.

Any community contribution would be greatly appreciated :smile:.

I think the passive attack section does partly imply supply chain threats

When it comes to application security, we generally don’t (and sometimes can’t) know if the software we use is malicious, or might one day become malicious.

But making it more explicit would be good, I agree.

I’ve heard open source security people say its a rabbit hole with no visible end right now.

I think it could have its own section and have been working on a PR in this regard.

It’s an important issue, especially with software these days having a lot of external dependencies.

We see some articles about it for modern tooling:

We also see some examples of that in:

One of the most famous ones in the past was the patches that Debian applied to openssl random number generator CVE-2008-0166. I’m not sure whether malicious intent was ever proven like with the XZ vulnerability eg (purposefully obfuscated code).

I don’t know what is plausible mitigation for a fundamentally cultural/economical problem.

The XZ developer had flagged mental health issues and was desperate for extra assistance on the project, yet you can’t find a company server or linux distro that wasn’t happily relying on it for its core infrastructure regardless.

You can’t sandbox something like XZ properly.

Make the threat explicit by all means, people should be aware of it, but I think the end result is another “why bother” reflex for people aiming to take control of their privacy. The fact is these factors are largely outside of your control.

Imo, the larger the list, the easier it is for someone new to this space to decide that it is futile.


We wouldn’t be adding those links to the page, that was more for this discussion thread.

With the site we try to write content that does not rely on external sources to explain itself.

The recommendation we would make to readers is to not necessarily install a bunch of obscure apps on their devices thus reducing the space in which one of those developers could maliciously introduce something.

Perhaps we could make some suggestions to people who are curious such as with open source software, looking to see how many maintainers an app has and how long they’ve been around for. If a piece of software is developed by a largish company then there is likely to be more people involved and less chance of something being “slipped” in there.

Unfortunately it can never be mitigated entirely.

I had something like this in mind:

Supply chain attacks and the many different ways I’ve backdoored your dependencies