This is a great write-up. It's a very serious issue. I don't really know if ther... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

ChrisMarshallNY 7 months ago | parent | context | favorite | on: Social engineering takeovers of open source projec...

This is a great write-up.

It's a very serious issue. I don't really know if there is any "one solution." I suspect that each project needs to set its own bar, and that any dependency that falls out of maintenance should be removed as quickly as possible (which was good practice, beforehand, but even more important, now).

[EDITED TO ADD]

I would also think about "scoring" the sensitivity of projects. Things like cryptography and low-level drivers would be highest-rated, while user-space chrome might not be as important.

transpute 7 months ago [–]

Scoring framework: https://securityscorecards.dev/

Code: https://github.com/ossf/scorecard

April 2024 ranking of OSS projects by criticality, 100MB CSV: https://commondatastorage.googleapis.com/ossf-criticality-sc...

guappa 7 months ago | | [–]

The scorecard stuff is flawed.

You want to decide if something is secure or insecure but without reading the code. It's never going to have any correlation.

ChrisMarshallNY 7 months ago | | [–]

Thanks!

I have a friend that used to work for a company called “SecurityScorecard.”

Different beast, though. I think the idea was similar.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact