Open Source Security
rust crates.io Security Model Reviewed
A look at how crates.io handles authentication, yanking, namespace squatting, and the supply chain risks that remain in mid-2024.
Jul 14, 20246 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
A look at how crates.io handles authentication, yanking, namespace squatting, and the supply chain risks that remain in mid-2024.
Exhausted maintainers are not just a welfare problem. They are a security problem. Burnout is a precondition for social engineering, delayed patches, and hostile takeovers.
go.sum and the Go checksum database are among the most rigorous integrity mechanisms in any language ecosystem, and the verification patterns around them deserve to be understood and used well.
From MongoDB to HashiCorp, commercial open source vendors have repeatedly relicensed away from OSI-approved licenses. The pattern reveals a fundamental tension between sustainability and freedom.
Central Package Management pulled NuGet's multi-project version chaos into a single source of truth. The security implications run deeper than the ergonomics suggest.
PyPI API tokens look simple, but how you scope them decides whether a leaked CI secret is a bad day or an ecosystem event. A practical audit guide for security teams.
Between May and June 2024 at least 36 npm packages were hijacked via expired maintainer domains and leaked tokens. We map the cluster.
Module hijacking in Go is rare compared to npm, but it does happen, and the patterns worth watching are different from what you might expect from other ecosystems.
How to use Gemfile.lock as a real security artifact: checksums, frozen mode, reproducible resolves, and what changed in Bundler 2.5's expanded lockfile format.
Weekly insights on software supply chain security, delivered to your inbox.