Open Source Insights is an experimental service by Google to better understand the dependencies of open-source software packages. Currently, supported are Cargo (Rust), Go's module system, Maven (Java), and npm (Node.js).
The vulnerability that allowed the execution of arbitrary shell commands on the trunk server was introduced six years ago.
Article how with AMD PSB enabled, CPUs are locked to a vendor ecosystem.
This post introduces sigstore, a Linux Foundation project that aims to improve open-source software supply chain integrity and verification.