- Published on
Software supply chain security is a people problem
Step 1: Article in Markdown Syntax
Introduction
The maintainer kind of stepped away and let their domain expire. Then, someone purchased the domain, tied it to their email address, created a working email, restored the password for whatever npm registry, and was able to upload a new version with malicious code.
There is no solution. Literally, there is no solution. It's a people problem. If we declare that we can solve it with computer science, we're lying to ourselves.
This is one of the reasons why all the dependency managers are problematic. Every developer of dependency management promises themselves and everybody else that they are going to solve those problems using computer science, and it's impossible.
So, whoever tells you that technology alone is going to solve the problem of supply chain security, you should reject that notion because they're lying.
Step 2: Keywords
Keywords
- Maintainer
- Domain expiration
- Email address
- npm registry
- Malicious code
- People problem
- Computer science
- Dependency managers
- Supply chain security
Step 3: FAQ
FAQ
What happened when the domain expired?
- The domain was purchased by someone else who tied it to their email address and uploaded a new version with malicious code to the npm registry.
Is there a technical solution to this problem?
- No, it’s fundamentally a people problem. Relying solely on computer science to fix it is misleading.
Why are all dependency managers problematic in this context?
- Developers of dependency management systems often promise to resolve these issues using computer science, but this is not feasible given the human element involved.
What should you do if someone claims technology alone can solve supply chain security issues?
- You should reject that notion because it is not true. The issue requires a more comprehensive approach that includes addressing human factors.