2023-01-03
This is dependency confusion attack once again - https://medium.com/.... You should be pinning your deps using pipfile.lock/poetry.lock (hopefully python natively supports lock files one day) and long-term package signing with SLSA provenance coming! https://twitter.com/...
BleepingComputer
PyTorch identifies a malicious dependency using its “torchtriton” library name, warning nightly version users to uninstall; the hacker claims ethical research
2023-01-02
This is dependency confusion attack once again - https://medium.com/.... You should be pinning your deps using pipfile.lock/poetry.lock (hopefully python natively supports lock files one day) and long-term package signing with SLSA provenance coming! https://twitter.com/...
BleepingComputer
PyTorch identifies a malicious dependency that uses its “torchtriton” library name, warning users to uninstall the framework; the hacker claims ethical research
PyTorch has identified a malicious dependency with the same name as the framework's ‘torchtriton’ library.
2022-08-09
Yet another win for @projectsigstore. NPM published a RFC to add support for end-to-end signing of npm packages. This joins in the growing list of ecosystems that have expressed interest - Python, RubyGems and Maven - https://github.blog/...
Wired
GitHub partners with code-signing service Sigstore to add support for signing npm software packages, helping improve the security of open source projects
most people just don't believe you or are terrified.” Dramatic supply chain updates from @lorenc_dan @jhutchings0 @npmjs @projectsigstore https://www.wired.com/... @npmjs : Today w...
2022-05-14
Insights on @Google's open source security journey with @theopenssf, industry partners and open source community over the last year and what's coming next - https://blog.google/...
Cybersecurity Dive
The Linux Foundation and OpenSSF plan to spend $150M+ to boost open source and supply chain security; Amazon, Google, Intel, Microsoft, and others pledged $30M+
David Jones / Cybersecurity Dive :
2021-10-03
Today, @Google launches the “Secure Open Source” (https://sos.dev/) rewards program to help developers proactively harden critical OSS projects and supporting infrastructure against application and supply chain attacks. https://security.googleblog.com/ ...
The Record
Google announces a $1M sponsorship for Linux Foundation's Secure Open Source, a new pilot program to enhance the security of critical open source projects
Catalin Cimpanu / The Record :
2021-10-02
Today, @Google launches the “Secure Open Source” (https://sos.dev/) rewards program to help developers proactively harden critical OSS projects and supporting infrastructure against application and supply chain attacks. https://security.googleblog.com/ ...
The Record
Google announces a $1M sponsorship for Linux Foundation's Secure Open Source, a new pilot program to enhance the security of critical open source projects
Catalin Cimpanu / The Record :
2021-08-27
Happy 30th birthday Linux! From @kees_cook - “Linux currently runs on everything from the smartphone we rely on everyday to the International Space Station. To rely on the internet is to rely on Linux.” - https://www.theregister.com/ ...
The Register
As Linux turns 30, a Q&A with Greg Kroah-Hartman, who oversees Linux kernel releases, on lessons learned, upcoming challenges, why Linux succeeded, and more
Greg Kroah-Hartman talks to El Reg about world domination, what was, and what may be for the kernel Tweets: @ericabrescia , @sjvn , @infernosec , and @theregister Tweets: Erica Bre...