Recommendations for mitigating supply chain attacks

Last month, several American institutions, including the NSA, published a document on what to do in order to avoid or at least mitigate supply chain attacks in software development, like the SolarWinds compromise:

Securing the Software Supply Chain

The relevant aspects of a secure development environment and process are described systematically and in great detail, which may help to identify any strengths and weaknesses in one’s own environment. So this seems to me to be a valuable resource well worth reading.

Just a warning: While the practices described there are very good and worth to be adopted, the amount of work needed for that will probably be far beyond available resources, but it’s the goal that counts!

I’m calling it especially to the attention of @adw and @marmarek, hoping that it will help with Qubes development, which - as far as I can see - is already using a lot of these techniques.


Interesting. Thanks for sharing.

hi @unman @Insurgo this reply is to continue our discussion in firmware backdoor ,
about supply chain or man in the middle attack, also trusting trust attack.

in case that, we are under heavy & serious, targeted attack & active surveillance,
a situation that are real for some people, i.e.
journalist, law activist, political activist, human right activist, whistle blower, etc
or people who live under oppressive / corrupt entity / system,

therefore, these people need to protect themselves from:
supply chain or man in the middle attack, also trusting trust attack.

is it possible for supply chain or man in the middle attack,
to give user, a compromised version of Qubes,
while we download it from correct source ?

how to mitigate from this attack ?

also said in verifying qubes iso ,
*if the machine on which you attempt the verification process is already compromised, *
it could falsely claim that a malicious ISO has a good signature.

which mean now there is trusting trust attack.

and the offered solution is Diverse Double Compiling (DCC) ,
i feel that the article is not easy to understand, anyone can explain DCC in a simple way ?
& how come diverse double compiling can relate with Qubes ISO verification ?
since DCC is about compiling,
but Qubes ISO is about downloading, authenticating, verifying, & installing.

thanks & regards,