Fifty Years of Open Source Software Supply Chain Security

April 1, 2025 Volume 23, issue 1 PDF Fifty Years of Open Source Software Supply Chain Security For decades, software reuse was only a lofty goal. Now it's very real. Russ Cox In March 1972, the United States Air Force started a review of a Honeywell Multics system to understand whether it could be used in secure environments. The report was issued in mid-1974 and concluded that Multics, while not secure, was better than its peers and might be a reasonable starting point for a secure system.23 The report raised the potential of adding a backdoor (it was called a "trap door") to an innocent system call. When passed a specific, very unlikely input, the system call allowed reading or writing an arbitrary word of kernel memory. That tiny change would completely undermine the security of the system, and the report investigated the mechanics of how such a change might be made and hidden. In March 2024, Andres Freund, a Postgres developer working at Microsoft, noticed that his Debian Li ... Read full article.