A Retrospective Survey of 2024/2025 Open Source Supply Chain Compromises

Posted3 months agoActive3 months ago

agwa

13 points

2 comments

words.filippo.ioTechstory

calmneutral

Debate

0/100

Open SourceSupply Chain SecurityCybersecurity

Key topics

Open Source

Supply Chain Security

Cybersecurity

The article presents a retrospective survey of open source supply chain compromises in 2024/2025, sparking discussion on the state of open source security and potential mitigations.

Snapshot generated from the HN discussion

Discussion Activity

Light discussion

First comment

Peak period

6-7h

Avg / period

Key moments

01Story posted
Oct 10, 2025 at 11:06 AM EDT
3 months ago
Step 01
02First comment
Oct 10, 2025 at 6:00 PM EDT
7h after posting
Step 02
03Peak activity
1 comments in 6-7h
Hottest window of the conversation
Step 03
04Latest activity
Oct 11, 2025 at 12:58 AM EDT
3 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (2 comments)

Showing 2 comments

JimDabell

3 months ago

> One compromise was due to a vulnerability that was already fixed, but had persisted on an old branch. Any time we make a security improvement (including patching a vulnerable Action) on a GitHub Actions workflow, we need to remember to cherry-pick it to all branches, including stale ones.

This stands out as an easy mistake to make.

thadt

3 months ago

For those in the know about such matters, where is the secret, community audited Rust supply chain?

Let's say I want to start a new project in Rust that needs to touch web services for some reason. The standard answer today is "just use crate <X>." But lets say that I'm security sensitive and spooked by how easy it appears to compromise open source dependencies in 2025.

So I thought, "well, Signal is the gold standard for security and open source - let's see what they do". Libsignal's 'Cargo.lock' has 599 packages in it. Is someone at Signal auditing all of those (and monitoring them for updates)? I see many well established shops using Rust with dependencies - I assume they're vendoring them internally and running them through their own reviews. Is that what everyone does? Or am I just being overly paranoid about the breadth of the dependency chain for what everyone relies on for being one of the most secure messaging clients?

View full discussion on Hacker News

ID: 45539902Type: storyLast synced: 11/20/2025, 5:28:51 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN